https://github.com/osquery/osquery logo
Powered by
y

yt0ng

03/01/2023, 9:27 AM
Copy code
{
  "options": {
  "disable_logging": "false",
  "disable_events": "false"

  },

  "schedule": {
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "interval": 10
    }
  },
  "yara": {
    "signatures": {
      "sig_group_1": [ "/osquery/osquery.yar" ]
    },
    "file_paths": {
      "www": [ "sig_group_1" ]
    }
  },

  "file_paths": {
    "www": [
      "/var/www/%%"
    ]
  },
  <SNIP>
k

Keith Swagler

03/01/2023, 9:35 PM
Can you run 
--verbose
when you run osquery and see if you have any Yara compile errors ? Also ensure that the file listener is setup on startup
Also make sure that you have file events enable as per the docs https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
y

yt0ng

03/02/2023, 8:23 AM
Thanks for the response @Keith Swagler I do not have any compile errors
Copy code
I0302 09:23:02.746310 1739991 yara_utils.cpp:426] Compiling YARA signature group: sig_group_1
I0302 09:23:02.884631 1739991 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
and I do get FIM events as long as I am not enabling the yara section above
I also get a confirmation for the event listening
Copy code
I0302 09:23:02.940120 1739991 file_events.cpp:87] Added file event listener to: /var/www/**
I0302 09:23:03.038489 1739991 yara_events.cpp:119] Added YARA listener to: /var/www/**
I do get several things mentioned as not being active, could that be an issue? Also osquery tells me I am not providing the flagsfile which I actually do
Copy code
sudo osqueryd --verbose --flagfile=/etc/osquery/osquery.flags
I0302 10:02:39.118822 1747822 init.cpp:399] osquery initialized [version=5.7.0]
I0302 10:02:39.119309 1747822 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0302 10:02:39.119508 1747822 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55e9051ac2b8) to thread: 140318048220928 (0x55e9051a9a80) in process 1747822
I0302 10:02:39.122210 1747823 watcher.cpp:674] osqueryd watcher (1747822) executing worker (1747824)
I0302 10:02:39.138759 1747824 init.cpp:396] osquery worker initialized [watcher=1747822]
I0302 10:02:39.139111 1747824 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55d8132e52b8) to thread: 140406222186240 (0x55d8132e49d0) in process 1747824
I0302 10:02:39.139307 1747824 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0302 10:02:40.213364 1747824 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55d813430448) to thread: 140405609842432 (0x55d813390050) in process 1747824
I0302 10:02:40.213515 1747824 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55d813428688) to thread: 140405618235136 (0x55d8132f4c70) in process 1747824
I0302 10:02:40.213582 1747962 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0302 10:02:40.213652 1747824 auto_constructed_tables.cpp:99] Removing stale ATC entries
W0302 10:02:40.214896 1747824 options.cpp:106] The CLI only flag --config_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
W0302 10:02:40.214990 1747824 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
I0302 10:02:40.215171 1747824 yara_utils.cpp:426] Compiling YARA signature group: sig_group_1
I0302 10:02:40.224817 1747824 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0302 10:02:40.225167 1747824 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0302 10:02:40.225662 1747824 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0302 10:02:40.227416 1747824 eventsubscriberplugin.cpp:492] Found 10 events for subscriber inotify.file_events
I0302 10:02:40.227855 1747824 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0302 10:02:40.228274 1747824 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0302 10:02:40.228595 1747824 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0302 10:02:40.228765 1747824 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0302 10:02:40.307024 1747824 file_events.cpp:87] Added file event listener to: /var/www/*
I0302 10:02:40.307402 1747824 yara_events.cpp:119] Added YARA listener to: /var/www/*
k

Keith Swagler

03/02/2023, 3:31 PM
okay great, can do 2 things, run 
select * from osquery_events
and make sure the yara_events publisher is active and has events
and also create a test file and see if you can query it like 
select * from yara where path="file" and sig_group=sig_group_1
or 
select * from yara where path="file" and sigfile="/osquery/osquery.yar"
y

yt0ng

03/02/2023, 7:09 PM
awesome thank you!
select * from osquery_events
image.png
I do see is active but no events
for
select * from yara where path="file" and sig_group=sig_group_1
I get
Copy code
osquery> select * from yara where path LIKE '/var/www/%' and sig_group=sig_group_1;                                                                            │
Error: no such column: sig_group_1
I can however run
Copy code
select * from yara where path="file" and sigfile="/osquery/osquery.yar"
and get results
k

Keith Swagler

03/02/2023, 7:14 PM
OK, and using the osqueryi session can you modify the files and see if they show up in file_events and yara_events ?
y

yt0ng

03/02/2023, 7:15 PM
you mean for FIM ?
if I modify a file?
once I activate the yara section, no more FIM events appear
k

Keith Swagler

03/02/2023, 7:17 PM
yes
y

yt0ng

03/02/2023, 7:17 PM
oh, is that expected ?
k

Keith Swagler

03/02/2023, 7:19 PM
It is not, but I suspect there may be an issue between the config you are using for osqueryd and the one for osqueryi
this will check that
y

yt0ng

03/02/2023, 7:25 PM
oh, interesting
thank you for checking
will only be able to follow up tomorrow though, so sorry for any late response and appreciate the help!
k

Keith Swagler

03/08/2023, 1:47 PM
okay let me know if that works 👍
y

yt0ng

03/09/2023, 7:04 AM
here are the config files in 
/etc/osquery/
Copy code
lrwxrwxrwx   1 root root   26 Mar  1 08:08 osquery.flags.default -> /etc/osquery/osquery.flags
-rw-r--r--   1 root root   53 Mar  2 10:01 osquery.yar
-rw-r--r--   1 root root   75 Mar  2 10:08 osquery.flags
-rw-r--r--   1 root root  838 Mar  3 15:57 osquery.conf
drwxr-xr-x 155 root root  12K Mar  9 06:52 ..
drwxr-xr-x   2 root root 4.0K Mar  9 08:03 .
thats all I actually have
would there be another place where I should look ?
followed via strace that seems also to be where osqueryi is looking
Copy code
stat("/etc/osquery/osquery.conf.d/", 0x7ffe60b6b2f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/osquery/osquery.conf.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
stat("/etc/osquery/osquery.conf", {st_mode=S_IFREG|0644, st_size=838, ...}) = 0
k

Keith Swagler

03/10/2023, 1:15 PM
okay can you run 
select * from osquery_flags
2 Views
Powered by