Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Todor Petkov
03/17/2022, 4:21 PMHi, I am running osquery 5.2.2 on Debian10 and I don't see records in the file_events table. When running in verbose mode, I see messages like "Failed to set the netlink owner", which according to readthedocs can be due to auditd, but I don't have this running. Same config works on CentOS7. Any idea what am I missing?
a
alessandrogario
03/17/2022, 6:56 PMfile_events should be using inotify, so the netlink error is unrelated
You could try to look at the logs to make sure SELinux is not blocking osquery
I don't think the logs will work without auditd though
t
Todor Petkov
03/17/2022, 7:00 PMThanks, I will try with auditd
there is no warning from apparmor
a
alessandrogario
03/17/2022, 7:02 PMWhat is the output of
getenforceThere's a tutorial here on how to allow things manually: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/securit[…]y-enhanced_linux-fixing_problems-allowing_access_audit2allow
Additional note: if those systems have been upgraded from an older version of osquery, the configuration should now include a flag to enable file_events. It was previously not needed, but was causing conflicts with Audit
t
Todor Petkov
03/17/2022, 7:07 PMI don't have selinux on the debian machine
cat >> /etc/osquery/osquery.flags << EOF
--enable_file_events
EOF
cat >> /etc/osquery/osquery.conf << EOF
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"verbose": "false",
"worker_threads": "2",
"disable_events": "false",
"enable_bpf_events": "true",
"enable_file_events": "true",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hakase-labs",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
"force": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600"
},
"schedule": {
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"ssh_login": {
"query": "SELECT username, time, host FROM last WHERE type=7",
"interval": 360
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"fim": "/usr/share/osquery/packs/fim.conf"
}
}
EOF
cat >> /usr/share/osquery/packs/fim.conf << EOF
{
"queries": {
"file_events": {
"query": "SELECT * FROM file_events;",
"removed": false,
"interval": 10
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"tmp": [
"/tmp/%%"
],
"www": [
"/var/www/%%"
]
}
}
EOFthat's the code I am using, with small change of the path of fim.conf (/usr/share is on centos, /opt/osquery on debian)
I see the file is being read when I run with --verbose (it says /etc/%% is being watched)
but when I do "useradd test", there is no entry in file_events table
so I managed to make events appear in file_events table, but there are no records in the logs..