fleet carving feedback <thread>
# fleetn
nyanshak
12/18/2020, 10:20 PMfleet carving feedback <thread>
nyanshak
12/18/2020, 10:21 PMwhen I run
fleetctl get carvesnyanshak
12/18/2020, 10:22 PMAlso - when thinking about "more granular user permissions", one thing that clearly stands out is whether someone can run file carving queries... This is like a data exfil dream.
nyanshak
12/18/2020, 10:23 PM(to expand on more granular user permissions):
• RBAC, with custom defined roles
• be able to limit who can edit options, saml, editing labels, additional host data queries, etc.
• limit who can run distributed queries, where they can run them (static list, label, etc)
• limit who can run file carving queries
nyanshak
12/18/2020, 10:27 PMThe feedback from fleetctl when running the query is strange.
I see:
Copy code
{
"host": "<hostname>",
"rows": []
}nyanshak
12/18/2020, 10:30 PMI'm not sure if it's not supported by fleet or if I just don't understand file carving (I haven't used it at all prior to fleet's support)
nyanshak
12/18/2020, 10:31 PMBut... I can't seem to get multiple files.
e.g.:
Copy code
SELECT * FROM carves WHERE path LIKE '/some/path/%' AND carve=1; Copy code
SELECT carve(path) FROM file WHERE directory LIKE '/some/path/%' AND mode='0755' AND type='regular';nyanshak
12/18/2020, 10:32 PM<fin>
nyanshak
12/18/2020, 10:37 PM(feedback is from fleet version 3.5.0)
z
zwass
12/19/2020, 12:19 AM
Hey Brendan, thanks for the feedback. Some of this is due to limitations of the carving implementation in osquery, though most of it can be addressed in Fleet (and/or osquery itself).
zwass
12/19/2020, 12:22 AM
[]zwass
12/19/2020, 12:25 AM
IIRC the first query you have above there (or something like it) should get all the files in the directory. I know I was able to carve multiple files when I was testing out this feature. Perhaps you need to use a subquery to expand the glob? Like
SELECT * FROM carves WHERE carve=1 AND path IN (SELECT path FROM file WHERE path LIKE '/some/path/%');n
nyanshak
12/19/2020, 4:03 AM Copy code
$ cat /tmp/carve.txt
This is a super secret file
$ cat /tmp/carve2.txt
the most super secret carve file #2
osqueryi
Using a virtual database. Need help, type '.help'
osquery> select path from file where path LIKE "/tmp/carve%";
+-----------------+
| path |
+-----------------+
| /tmp/carve.txt |
| /tmp/carve/ |
| /tmp/carve2.txt |
| /tmp/carve3.txt |
+-----------------+
$ fleetctl query --hosts "myhost" --query 'SELECT * FROM carves WHERE carve = 1 AND path IN (SELECT path FROM file WHERE path LIKE "/tmp/carve%";' --context default
{"host":"myhost","rows":[]}
100% responded (100% online) | 1/1 targeted hosts (1/1 online)
$ fleetctl get carves --context default
No carves found
$ fleetctl query --hosts "myhost" --query 'SELECT * FROM carves WHERE carve = 1 AND path = "/tmp/carve.txt";' --context default
{"host":"myhost","rows":[]}
$ fleetctl get carves --context default
+----+-------------------------------+----------------------------+------------+------------+
| ID | CREATED AT | REQUEST ID | CARVE SIZE | COMPLETION |
+----+-------------------------------+----------------------------+------------+------------+
| 1 | 2020-12-18 22:01:49 -0600 CST | kolide_distributed_query_8 | 2048 | 100% |
+----+-------------------------------+----------------------------+------------+------------+nyanshak
12/19/2020, 4:03 AM🤷 just tried again with a few variations
nyanshak
12/19/2020, 4:04 AMI can get single files but can't seem to get multiple files
nyanshak
12/19/2020, 4:04 AMalso - first time trying
fleetctl preview👍 1
nyanshak
12/19/2020, 4:05 AM(and when I got the new carve, it says carve size is 2048, but the file is only 28 bytes, which is interesting? 🤷
edit: seems that's just tar overhead nvm
9 Views