Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
y
yt0ng
03/01/2023, 9:27 AM{
"options": {
"disable_logging": "false",
"disable_events": "false"
},
"schedule": {
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 10
}
},
"yara": {
"signatures": {
"sig_group_1": [ "/osquery/osquery.yar" ]
},
"file_paths": {
"www": [ "sig_group_1" ]
}
},
"file_paths": {
"www": [
"/var/www/%%"
]
},
<SNIP>k
Keith Swagler
03/01/2023, 9:35 PMCan you run
--verboseAlso make sure that you have file events enable as per the docs https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
y
yt0ng
03/02/2023, 8:23 AMThanks for the response @Keith Swagler I do not have any compile errors
I0302 09:23:02.746310 1739991 yara_utils.cpp:426] Compiling YARA signature group: sig_group_1
I0302 09:23:02.884631 1739991 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configurationand I do get FIM events as long as I am not enabling the yara section above
I also get a confirmation for the event listening
I0302 09:23:02.940120 1739991 file_events.cpp:87] Added file event listener to: /var/www/**
I0302 09:23:03.038489 1739991 yara_events.cpp:119] Added YARA listener to: /var/www/**I do get several things mentioned as not being active, could that be an issue? Also osquery tells me I am not providing the flagsfile which I actually do
sudo osqueryd --verbose --flagfile=/etc/osquery/osquery.flags
I0302 10:02:39.118822 1747822 init.cpp:399] osquery initialized [version=5.7.0]
I0302 10:02:39.119309 1747822 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0302 10:02:39.119508 1747822 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55e9051ac2b8) to thread: 140318048220928 (0x55e9051a9a80) in process 1747822
I0302 10:02:39.122210 1747823 watcher.cpp:674] osqueryd watcher (1747822) executing worker (1747824)
I0302 10:02:39.138759 1747824 init.cpp:396] osquery worker initialized [watcher=1747822]
I0302 10:02:39.139111 1747824 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55d8132e52b8) to thread: 140406222186240 (0x55d8132e49d0) in process 1747824
I0302 10:02:39.139307 1747824 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0302 10:02:40.213364 1747824 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55d813430448) to thread: 140405609842432 (0x55d813390050) in process 1747824
I0302 10:02:40.213515 1747824 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55d813428688) to thread: 140405618235136 (0x55d8132f4c70) in process 1747824
I0302 10:02:40.213582 1747962 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0302 10:02:40.213652 1747824 auto_constructed_tables.cpp:99] Removing stale ATC entries
W0302 10:02:40.214896 1747824 options.cpp:106] The CLI only flag --config_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
W0302 10:02:40.214990 1747824 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
I0302 10:02:40.215171 1747824 yara_utils.cpp:426] Compiling YARA signature group: sig_group_1
I0302 10:02:40.224817 1747824 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0302 10:02:40.225167 1747824 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0302 10:02:40.225662 1747824 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0302 10:02:40.227416 1747824 eventsubscriberplugin.cpp:492] Found 10 events for subscriber inotify.file_events
I0302 10:02:40.227855 1747824 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0302 10:02:40.228274 1747824 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0302 10:02:40.228595 1747824 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0302 10:02:40.228765 1747824 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0302 10:02:40.307024 1747824 file_events.cpp:87] Added file event listener to: /var/www/*
I0302 10:02:40.307402 1747824 yara_events.cpp:119] Added YARA listener to: /var/www/*k
Keith Swagler
03/02/2023, 3:31 PMokay great, can do 2 things, run
select * from osquery_eventsand also create a test file and see if you can query it like
select * from yara where path="file" and sig_group=sig_group_1or
select * from yara where path="file" and sigfile="/osquery/osquery.yar"y
yt0ng
03/02/2023, 7:09 PMawesome thank you!
select * from osquery_events
image.png
I do see is active but no events
for
select * from yara where path="file" and sig_group=sig_group_1
I get
osquery> select * from yara where path LIKE '/var/www/%' and sig_group=sig_group_1; │
Error: no such column: sig_group_1I can however run
select * from yara where path="file" and sigfile="/osquery/osquery.yar"and get results
k
Keith Swagler
03/02/2023, 7:14 PMOK, and using the osqueryi session can you modify the files and see if they show up in file_events and yara_events ?
y
yt0ng
03/02/2023, 7:15 PMyou mean for FIM ?
if I modify a file?
once I activate the yara section, no more FIM events appear
k
Keith Swagler
03/02/2023, 7:17 PMyes
y
yt0ng
03/02/2023, 7:17 PMoh, is that expected ?
k
Keith Swagler
03/02/2023, 7:19 PMIt is not, but I suspect there may be an issue between the config you are using for osqueryd and the one for osqueryi
this will check that
y
yt0ng
03/02/2023, 7:25 PMoh, interesting
thank you for checking
will only be able to follow up tomorrow though, so sorry for any late response and appreciate the help!
k
Keith Swagler
03/08/2023, 1:47 PMokay let me know if that works 👍
y
yt0ng
03/09/2023, 7:04 AMhere are the config files in
/etc/osquery/lrwxrwxrwx 1 root root 26 Mar 1 08:08 osquery.flags.default -> /etc/osquery/osquery.flags
-rw-r--r-- 1 root root 53 Mar 2 10:01 osquery.yar
-rw-r--r-- 1 root root 75 Mar 2 10:08 osquery.flags
-rw-r--r-- 1 root root 838 Mar 3 15:57 osquery.conf
drwxr-xr-x 155 root root 12K Mar 9 06:52 ..
drwxr-xr-x 2 root root 4.0K Mar 9 08:03 .thats all I actually have
would there be another place where I should look ?
followed via strace that seems also to be where osqueryi is looking
stat("/etc/osquery/osquery.conf.d/", 0x7ffe60b6b2f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/osquery/osquery.conf.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
stat("/etc/osquery/osquery.conf", {st_mode=S_IFREG|0644, st_size=838, ...}) = 0k
Keith Swagler
03/10/2023, 1:15 PMokay can you run
select * from osquery_flags