Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
SK
12/21/2020, 11:28 AMHey guys, has anyone used the 'ntfs_acl_permissions' table? Can't seem to figure out how it should be used,
select * from ntfs_acl_permissions where path LIKEs
seph
12/21/2020, 1:42 PMDoes it work with an explicit path? A common osquery pattern is to require path, and if you want wildcards join against the file table for that expansion
s
SK
12/21/2020, 1:48 PMHey @seph I also tried with different paths and there are no results, are there any specific requirements to get NTFS ACL results?
Commands Get-Acl and icacls both give me NTFS ACL data but the query does not give me anything.
f
fritz
12/21/2020, 2:53 PM@SK What does your path look like? Can we see an example query?
s
SK
12/21/2020, 2:54 PMThe one I use to test.
select * from ntfs_acl_permissions where path = 'C:\Program Files\osquery\osqueryi.exe';Results from Get-Acl
> Get-Acl -Path 'C:\Program Files\osquery\osqueryi.exe'
Directory: C:\Program Files\osquery
Path Owner Access
---- ----- ------
osqueryi.exe NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow FullControl...f
fritz
12/21/2020, 4:32 PM@SK my windows internals knowledge is not terrific, however i just did some of my own testing and it appears that certain files will produce output and others will not.
For example on your test device try running:
select * from ntfs_acl_permissions where path = '\Program Files'You should see results
s
seph
12/21/2020, 4:45 PMI’ve seen this as well, and I’ve always assumed it’s that I don’t understand which things are ntfs acls, vs some other windows filesysytem acl.
s
SK
12/21/2020, 7:11 PMThat is interesting....
> select * from ntfs_acl_permissions where path = 'C:\Program Files\';
+-------------------+-------+-------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------+
| path | type | principal | access | inherited_from |
+-------------------+-------+-------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------+
| C:\Program Files\ | Grant | TrustedInstaller | Specific Rights All,Delete,Read Control,Write DAC,Write Owner,Std Rights Required,Synchronize,Std Rights All | No Inheritance |
| C:\Program Files\ | Grant | TrustedInstaller | Generic All | Unknown |f
fritz
12/21/2020, 7:21 PMThat was the behavior which I encountered.
I know nothing about ntfs acl so I can't comment on what the expected behavior should be.
s
SK
12/21/2020, 7:27 PMThanks for your help @fritz, I thought i understood NTFS ACLs but this table does not work as I would have expected, it might need a rework, but I am not knowledgeable enough to do it.
m
Mike Myers
12/21/2020, 8:42 PMFiles do have ACLs, this is probably an osquery bug
➕ 1
s
SK
12/21/2020, 8:47 PM@Mike Myers I also think so, and I couldn't get deeper into "program files" I will file a bug report for this
👍 1