```dover launcher seph$ build package builder make hostname= osquery #kolide

```dover:launcher seph$ ./build/package-builder ma...

seph

04/25/2020, 2:06 AM

Copy code

dover:launcher seph$ ./build/package-builder make --hostname=localhost --enroll_secret=secret --insecure --insecure_transport --targets linux-systemd-deb --package_version 1
Built packages in /tmp/launcher-package071939396

dover:launcher seph$ /usr/local/Cellar/binutils/2.33.1/bin/ar -p /tmp/launcher-package071939396/launcher.linux-systemd-deb.deb  data.tar.gz | tar tzf - | grep osq
./usr/local/launcher/bin/osqueryd
./usr/local/launcher/bin/osquery-extension.ext

👍 1

KryptoNyte

04/25/2020, 10:15 PM

This would actually allow this to be build so that there's even no need to install this as root, e.g. replace the paths to be in the user space I suppose...

KryptoNyte

04/25/2020, 10:16 PM

I wonder for example if that would be possible on windows as well, so that the service could be started/stopped by the user without admin rights...

seph

04/25/2020, 10:27 PM

A bunch of the things osquery (and launcher) want to read, require root access. So it's most common to run that way

sundsta

04/25/2020, 11:03 PM

@seph In my experience you don't need root on Linux if you grant the service

CAP_DAC_READ_SEARCH

sundsta

04/25/2020, 11:03 PM

I did however, run into issues with obtaining any events from the Linux audit framework if I wasn't running as root

seph

04/25/2020, 11:05 PM

Yeah, that's true. I forget that a bunch can happen through capabilities. .

KryptoNyte

04/26/2020, 5:06 PM

I think it's best to require root to avoid problem 🙂

seph

04/27/2020, 3:14 PM

depends… Not needing root is a pretty cool security measure, and important to some environments. But, it’s extra work if you don’t need it

2 Views

Open in Slack

Previous Next