Mike Myers
12/08/2020, 9:33 PMYali Ren
12/10/2020, 9:22 PMfritz
12/11/2020, 2:19 PMkolide_gsettings
table and look for the values associated with the following keys:
'ubuntu-lock-on-suspend'
'lock-enabled'
'lock-delay'
'idle-delay'
One thing to keep in mind on Linux is you will need to consider not only the distribution (eg. ubuntu) but also the primary window manager (eg. gnome). If someone is not running Gnome, the keys listed above will not be representative of the effective configuration on the device.Zach Zeid
12/11/2020, 2:37 PM/var/osquery/syslog-pipe
or from select * from syslog;
in osquery.Tao Jiang
12/13/2020, 2:36 PMAshish
12/13/2020, 3:21 PMYevgeny P
12/13/2020, 9:12 PMSchrodinger
12/14/2020, 10:47 AMjby
12/14/2020, 12:41 PMkernel: osqueryd[239994]: segfault at 98 ip 000055c73482a52d sp 00007ffe287a95f0 error 4 in osqueryd[55c7347da000+1065000]
seph
asparamancer
12/15/2020, 9:21 AMZach Zeid
12/15/2020, 11:20 AM4.6.0
cut, when will it be available via package manager? The site still shows 4.5.1
as being the latest.infomaniac
12/16/2020, 12:56 PMfritz
12/16/2020, 1:50 PMkolide_wmi
table) but I have not investigated it much and couldn't say for certain.Rares Ion
12/16/2020, 6:02 PMPrateek Kumar Nischal
12/17/2020, 4:59 PMa2
field in the syscall audit record to determine if the event was intended for writing, eg
arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffcabc35875 a2=O_RDONLY a3=0x0 items=1 ppid=10846 pid=11679 auid=... exe=/bin/cat key=sys_bin
Example this record was emitted by auditd and has a2 field as O_RDONLY
.
This one was emitted by osquery
arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=557f5aeb2b90 a2=441 a3=1b6 items=2 ppid=2516 pid=2517 auid=... exe="/bin/bash" key="test"
a2 = 0x441 which is O_WRONLY|O_CREAT|O_APPEND
showing the intent of writing to a file (using tee)Matt Ackard
12/17/2020, 5:26 PME1216 18:35:38.019801 18135 udev.cpp:91] udev monitor returned invalid device
I1216 18:35:38.020171 18135 events.cpp:802] Event publisher udev run loop terminated for reason: udev monitor failed.
The original osquery version where I found this issue was 3.3.2, but I tried creating an instance using 4.5.1 and still had the same issue. When osquery is started/restarted, queries will run normally for a few minutes and then all query output to the results and snapshot logs will stop. Restarting will follow the same pattern. It looks like it may be linked to running a large number of docker containers since if I create another instance without adding any containers it runs normally. The udev error above prints after about 2 hours from the last INFO log output. Does anyone know what is causing this issue and if there is a fix? This is on linux servers.KK
12/18/2020, 1:37 AMbuild
directory that I'm seeing.
Is there a way to create a .pkg
file from these build artifacts, or any other way to run this osquery binary on other machines?
Here are the files that I'm seeing under the build
directory (tree level 2):groob
ET
12/20/2020, 4:21 PMJohn Byrne
12/20/2020, 8:26 PMSK
12/21/2020, 8:29 AMET
12/21/2020, 11:06 AMfritz
12/21/2020, 2:12 PMbhuvaneswari
12/23/2020, 1:37 PMSamuel Carvalho
12/23/2020, 8:05 PMSELECT * FROM file_events;
Stefano Bonicatti
12/23/2020, 8:54 PMtheopolis
Faraz Jafri
12/28/2020, 9:48 AMAlejandro
12/28/2020, 3:43 PM