Title
#linux
theopolis

theopolis

06/22/2020, 9:22 PM
I wish I could answer your question specifically but I've never seen that error. I'm not at a computer right now so I cannot provide examples, but I wanted to ask a set of standard audit questions like the output of the audit control summary, if any other audit-related processes were running, what your osquery config looks like (maybe more questions I cannot remember right now).
9:23 PM
Then I thought, "we should really have a 'run these 4 commands' to help us debug audit problems as a group" in the documentation.
Fran Rodríguez

Fran Rodríguez

06/25/2020, 4:56 PM
@theopolis sorry for the delay
4:57 PM
the osquery configuration
4:57 PM
//
// Ansible managed
//
{
  // Configure the daemon below:
  "options": {
    // Select the osquery config plugin.
    "config_plugin": "filesystem",

    // Select the osquery logging plugin.
    "logger_plugin": "syslog",

    // The log directory stores info, warning, and errors.
    // If the daemon uses the 'filesystem' logging retriever then the log_dir
    // will also contain the query results.
    "logger_path": "/var/log/osquery",

    // Set 'disable_logging' to true to prevent writing any info, warning, error
    // logs. If a logging plugin is selected it will still write query results.
    "disable_logging": "False",

    // Query differential results are logged as change-events to assist log
    // aggregation operations like searching and transactons.
    // Set 'log_results_events' to log differentials as transactions.
    //"log_result_events": "true",

    // Splay the scheduled interval for queries.
    // This is very helpful to prevent system performance impact when scheduling
    // large numbers of queries that run a smaller or similar intervals.
    "schedule_splay_percent": "10",

    // Write the pid of the osqueryd process to a pidfile/mutex.
    //"pidfile": "/var/osquery/osquery.pidfile",

    // Clear events from the osquery backing store after a number of seconds.
    "events_expiry": "1",

    // A filesystem path for disk-based backing storage used for events and
    // query results differentials. See also 'use_in_memory_database'.
    "database_path": "/var/osquery/osquery.db",

    // Comma-delimited list of table names to be disabled.
    // This allows osquery to be launched without certain tables.
    //"disable_tables": "foo_bar,time",

    // Enable debug or verbose debug output when logging.
    "verbose": "True",

    // The number of threads for concurrent query schedule execution.
    "worker_threads": "2",

    // Enable OS eventing publish subscribe APIs.
    "disable_events": "False",

    // Enable OS auditing
    "disable_audit": "false",
    "audit_allow_config": "true",
    "audit_allow_process_events": "true",
    "audit_allow_sockets": "true",

    "logger_snapshot_event_type": "True"
  },

  // Define a schedule of queries:
  "schedule": {
    // This is a simple example query that outputs basic system information.
    "system_info": {
      // The exact query to run.
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    },
    "fim" : {
      "query": "select * from file_events;",
      "removed": false,
      "interval": 300
    },

    "process_events":{
      "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
      "interval": 300
    },
    "socket_events":{
      "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
      "interval": 300
    }
  },

  "file_paths": {
    "homes_sshdir": [
      "/root/.ssh/%%",
      "/home/%/.ssh/%%"
    ],
    "bin": [
      "/bin/%%",
      "/sbin/%%",
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/usr/local/bin/%%",
      "/usr/local/sbin/%%"
    ],
    "boot": [
      "/boot/%%"
    ],
    "lost+found": [
      "/lost+found/%"
    ],
    "roothome": [
      "/root/%%"
    ]
  },
// very noisy, <https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/#file-accesses>
//  "file_accesses": ["etc", "root"]
  "exclude_paths": {
    "tmp": [
      "/tmp/too_many_events/"
    ]
  },

  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed with 'make install' or via
  // packages and/or Homebrew.
  //
  // Linux:        /usr/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
//    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
//    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
//    "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
//    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
//    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
//    "osquery-custom-pack": "/usr/share/osquery/packs/osquery-custom-pack.conf",
//    "osquery-snapshots-pack": "/usr/share/osquery/packs/osquery-snapshots-pack.conf",
//    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
  }
}
4:57 PM
flags
4:57 PM
#
# Ansible managed
#
--pidfile=/var/run/osqueryd.pid
--logger_event_type=true
--disable_watchdog=true
--watchdog_memory_limit=512
--watchdog_utilization_limit=300
--watchdog_delay=300
--events_max=50000
--utc=true
#--disable_audit=false
#--audit_allow_config=true
#--audit_allow_process_events=true
--audit_persist=true
--audit_debug=true
--logger_syslog_facility=19
--docker_socket=/var/run/docker.sock
4:58 PM
auditd rules
4:58 PM
-a never,exit -S all -F auid<100
-a never,exit -S all -F uid<100
-a never,exclude -F msgtype=CWD
-a never,exclude -F msgtype=USER_ACCT
-a never,exclude -F msgtype=CONFIG_CHANGE
-a never,exclude -F msgtype=SERVICE_START
-a never,exclude -F msgtype=SERVICE_STOP
-a never,exclude -F msgtype=PROCTITLE
4:59 PM
for now, osquery audit rules are not there but when activate osquery audit configuration they are
4:59 PM
auditd status
4:59 PM
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 0
lost 3155249
backlog 0
backlog_wait_time 60000
loginuid_immutable 0 unlocked
5:36 PM
im using a ansible role which use this system configuration for runnning osquery
5:37 PM
[Service]
# Add delay at restart for rocksdb backend
RestartSec=10
# Hardened options for osquery systemd
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
SystemCallFilter=futex mprotect read write open openat close stat fstat lstat lseek mmap munmap brk rt_sigaction rt_sigprocmask rt_sigreturn access alarm socket connect sendto clone execve unlink chmod getrlimit setpriority arch_prctl set_tid_address ioprio_set set_robust_list getcwd readlink fcntl wait4 getdents tgkill mkdir pread64 uname fdatasync madvise symlink fadvise64 readahead ioctl fallocate rename fsync socketpair sysinfo getsockname ftruncate inotify_init setsockopt flock inotify_add_watch poll bind shutdown statfs newfstatat _sysctl getuid getgid getpid geteuid getegid getppid prctl gettid nanosleep
5:38 PM
if i use it, i got two problems: • No auditd configuration • No osqueryd result querys in log
4:10 PM
@theopolis i found the problem here. the configuration of auditd, the parama rate_limit was configurated to 0, i changed it to 1000 and now it goes more slowly, to 100% of CPU