https://github.com/osquery/osquery logo
Powered by
Title
s

seph

04/25/2020, 2:06 AM
dover:launcher seph$ ./build/package-builder make --hostname=localhost --enroll_secret=secret --insecure --insecure_transport --targets linux-systemd-deb --package_version 1
Built packages in /tmp/launcher-package071939396

dover:launcher seph$ /usr/local/Cellar/binutils/2.33.1/bin/ar -p /tmp/launcher-package071939396/launcher.linux-systemd-deb.deb  data.tar.gz | tar tzf - | grep osq
./usr/local/launcher/bin/osqueryd
./usr/local/launcher/bin/osquery-extension.ext
đź‘Ť 1
k

KryptoNyte

04/25/2020, 10:15 PM
This would actually allow this to be build so that there's even no need to install this as root, e.g. replace the paths to be in the user space I suppose...
I wonder for example if that would be possible on windows as well, so that the service could be started/stopped by the user without admin rights...
s

seph

04/25/2020, 10:27 PM
A bunch of the things osquery (and launcher) want to read, require root access. So it's most common to run that way
s

sundsta

04/25/2020, 11:03 PM
@seph In my experience you don't need root on Linux if you grant the service 
CAP_DAC_READ_SEARCH
I did however, run into issues with obtaining any events from the Linux audit framework if I wasn't running as root
s

seph

04/25/2020, 11:05 PM
Yeah, that's true. I forget that a bunch can happen through capabilities. .
k

KryptoNyte

04/26/2020, 5:06 PM
I think it's best to require root to avoid problem 🙂
s

seph

04/27/2020, 3:14 PM
depends… Not needing root is a pretty cool security measure, and important to some environments. But, it’s extra work if you don’t need it
2 Views
#kolideJoin Slack
Powered by