Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
theopolis
06/22/2020, 9:22 PMI wish I could answer your question specifically but I've never seen that error. I'm not at a computer right now so I cannot provide examples, but I wanted to ask a set of standard audit questions like the output of the audit control summary, if any other audit-related processes were running, what your osquery config looks like (maybe more questions I cannot remember right now).
Then I thought, "we should really have a 'run these 4 commands' to help us debug audit problems as a group" in the documentation.
f
Fran Rodríguez
06/25/2020, 4:56 PM@theopolis sorry for the delay
the osquery configuration
//
// Ansible managed
//
{
// Configure the daemon below:
"options": {
// Select the osquery config plugin.
"config_plugin": "filesystem",
// Select the osquery logging plugin.
"logger_plugin": "syslog",
// The log directory stores info, warning, and errors.
// If the daemon uses the 'filesystem' logging retriever then the log_dir
// will also contain the query results.
"logger_path": "/var/log/osquery",
// Set 'disable_logging' to true to prevent writing any info, warning, error
// logs. If a logging plugin is selected it will still write query results.
"disable_logging": "False",
// Query differential results are logged as change-events to assist log
// aggregation operations like searching and transactons.
// Set 'log_results_events' to log differentials as transactions.
//"log_result_events": "true",
// Splay the scheduled interval for queries.
// This is very helpful to prevent system performance impact when scheduling
// large numbers of queries that run a smaller or similar intervals.
"schedule_splay_percent": "10",
// Write the pid of the osqueryd process to a pidfile/mutex.
//"pidfile": "/var/osquery/osquery.pidfile",
// Clear events from the osquery backing store after a number of seconds.
"events_expiry": "1",
// A filesystem path for disk-based backing storage used for events and
// query results differentials. See also 'use_in_memory_database'.
"database_path": "/var/osquery/osquery.db",
// Comma-delimited list of table names to be disabled.
// This allows osquery to be launched without certain tables.
//"disable_tables": "foo_bar,time",
// Enable debug or verbose debug output when logging.
"verbose": "True",
// The number of threads for concurrent query schedule execution.
"worker_threads": "2",
// Enable OS eventing publish subscribe APIs.
"disable_events": "False",
// Enable OS auditing
"disable_audit": "false",
"audit_allow_config": "true",
"audit_allow_process_events": "true",
"audit_allow_sockets": "true",
"logger_snapshot_event_type": "True"
},
// Define a schedule of queries:
"schedule": {
// This is a simple example query that outputs basic system information.
"system_info": {
// The exact query to run.
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"fim" : {
"query": "select * from file_events;",
"removed": false,
"interval": 300
},
"process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": 300
},
"socket_events":{
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": 300
}
},
"file_paths": {
"homes_sshdir": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"bin": [
"/bin/%%",
"/sbin/%%",
"/usr/bin/%%",
"/usr/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%"
],
"boot": [
"/boot/%%"
],
"lost+found": [
"/lost+found/%"
],
"roothome": [
"/root/%%"
]
},
// very noisy, <https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/#file-accesses>
// "file_accesses": ["etc", "root"]
"exclude_paths": {
"tmp": [
"/tmp/too_many_events/"
]
},
// Decorators are normal queries that append data to every query.
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
// Add default osquery packs or install your own.
//
// There are several 'default' packs installed with 'make install' or via
// packages and/or Homebrew.
//
// Linux: /usr/share/osquery/packs
// OS X: /var/osquery/packs
// Homebrew: /usr/local/share/osquery/packs
// make install: {PREFIX}/share/osquery/packs
//
"packs": {
// "incident-response": "/usr/share/osquery/packs/incident-response.conf",
// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
// "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
// "osquery-custom-pack": "/usr/share/osquery/packs/osquery-custom-pack.conf",
// "osquery-snapshots-pack": "/usr/share/osquery/packs/osquery-snapshots-pack.conf",
// "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
}
}flags
#
# Ansible managed
#
--pidfile=/var/run/osqueryd.pid
--logger_event_type=true
--disable_watchdog=true
--watchdog_memory_limit=512
--watchdog_utilization_limit=300
--watchdog_delay=300
--events_max=50000
--utc=true
#--disable_audit=false
#--audit_allow_config=true
#--audit_allow_process_events=true
--audit_persist=true
--audit_debug=true
--logger_syslog_facility=19
--docker_socket=/var/run/docker.sockauditd rules
-a never,exit -S all -F auid<100
-a never,exit -S all -F uid<100
-a never,exclude -F msgtype=CWD
-a never,exclude -F msgtype=USER_ACCT
-a never,exclude -F msgtype=CONFIG_CHANGE
-a never,exclude -F msgtype=SERVICE_START
-a never,exclude -F msgtype=SERVICE_STOP
-a never,exclude -F msgtype=PROCTITLEfor now, osquery audit rules are not there but when activate osquery audit configuration they are
auditd status
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 0
lost 3155249
backlog 0
backlog_wait_time 60000
loginuid_immutable 0 unlockedim using a ansible role which use this system configuration for runnning osquery
[Service]
# Add delay at restart for rocksdb backend
RestartSec=10
# Hardened options for osquery systemd
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
SystemCallFilter=futex mprotect read write open openat close stat fstat lstat lseek mmap munmap brk rt_sigaction rt_sigprocmask rt_sigreturn access alarm socket connect sendto clone execve unlink chmod getrlimit setpriority arch_prctl set_tid_address ioprio_set set_robust_list getcwd readlink fcntl wait4 getdents tgkill mkdir pread64 uname fdatasync madvise symlink fadvise64 readahead ioctl fallocate rename fsync socketpair sysinfo getsockname ftruncate inotify_init setsockopt flock inotify_add_watch poll bind shutdown statfs newfstatat _sysctl getuid getgid getpid geteuid getegid getppid prctl gettid nanosleepif i use it, i got two problems:
• No auditd configuration
• No osqueryd result querys in log
@theopolis i found the problem here. the configuration of auditd, the parama rate_limit was configurated to 0, i changed it to 1000 and now it goes more slowly, to 100% of CPU