Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
n
nyanshak
12/18/2020, 10:20 PMfleet carving feedback <thread>
when I run
fleetctl get carvesAlso - when thinking about "more granular user permissions", one thing that clearly stands out is whether someone can run file carving queries... This is like a data exfil dream.
(to expand on more granular user permissions):
• RBAC, with custom defined roles
• be able to limit who can edit options, saml, editing labels, additional host data queries, etc.
• limit who can run distributed queries, where they can run them (static list, label, etc)
• limit who can run file carving queries
The feedback from fleetctl when running the query is strange.
I see:
{
"host": "<hostname>",
"rows": []
}I'm not sure if it's not supported by fleet or if I just don't understand file carving (I haven't used it at all prior to fleet's support)
But... I can't seem to get multiple files.
e.g.:
SELECT * FROM carves WHERE path LIKE '/some/path/%' AND carve=1;SELECT carve(path) FROM file WHERE directory LIKE '/some/path/%' AND mode='0755' AND type='regular';<fin>
(feedback is from fleet version 3.5.0)
z
zwass
12/19/2020, 12:19 AMHey Brendan, thanks for the feedback. Some of this is due to limitations of the carving implementation in osquery, though most of it can be addressed in Fleet (and/or osquery itself).
[]IIRC the first query you have above there (or something like it) should get all the files in the directory. I know I was able to carve multiple files when I was testing out this feature. Perhaps you need to use a subquery to expand the glob? Like
SELECT * FROM carves WHERE carve=1 AND path IN (SELECT path FROM file WHERE path LIKE '/some/path/%');n
nyanshak
12/19/2020, 4:03 AM$ cat /tmp/carve.txt
This is a super secret file
$ cat /tmp/carve2.txt
the most super secret carve file #2
osqueryi
Using a virtual database. Need help, type '.help'
osquery> select path from file where path LIKE "/tmp/carve%";
+-----------------+
| path |
+-----------------+
| /tmp/carve.txt |
| /tmp/carve/ |
| /tmp/carve2.txt |
| /tmp/carve3.txt |
+-----------------+
$ fleetctl query --hosts "myhost" --query 'SELECT * FROM carves WHERE carve = 1 AND path IN (SELECT path FROM file WHERE path LIKE "/tmp/carve%";' --context default
{"host":"myhost","rows":[]}
100% responded (100% online) | 1/1 targeted hosts (1/1 online)
$ fleetctl get carves --context default
No carves found
$ fleetctl query --hosts "myhost" --query 'SELECT * FROM carves WHERE carve = 1 AND path = "/tmp/carve.txt";' --context default
{"host":"myhost","rows":[]}
$ fleetctl get carves --context default
+----+-------------------------------+----------------------------+------------+------------+
| ID | CREATED AT | REQUEST ID | CARVE SIZE | COMPLETION |
+----+-------------------------------+----------------------------+------------+------------+
| 1 | 2020-12-18 22:01:49 -0600 CST | kolide_distributed_query_8 | 2048 | 100% |
+----+-------------------------------+----------------------------+------------+------------+🤷 just tried again with a few variations
I can get single files but can't seem to get multiple files
also - first time trying
fleetctl preview👍 1
(and when I got the new carve, it says carve size is 2048, but the file is only 28 bytes, which is interesting? 🤷
edit: seems that's just tar overhead nvm