pdpq
03/19/2020, 12:08 PMCptOfEvilMinions
03/20/2020, 4:42 PMSELECT subkey, value FROM plist WHERE path='/Library/Preferences/SystemConfiguration/preferences.plist' AND key='NetworkServices' AND subkey like '%HTTP%P%' AND value != '';
which will produce:
+---------------------------------------------------------+---------+
| subkey | value |
+---------------------------------------------------------+---------+
| Proxies/HTTPPort | 5555 |
| Proxies/HTTPSProxy | 1.1.1.1 |
| Proxies/HTTPSPort | 5555 |
| Proxies/HTTPProxy | 1.1.1.1 |
+---------------------------------------------------------+---------+
query: SELECT DISTINCT p.pid, x.name, x.cmdline, p.local_port FROM process_open_sockets as p JOIN plist as l ON p.local_port=l.value JOIN processes as x ON p.pid=x.pid WHERE l.path='/Library/Preferences/SystemConfiguration/preferences.plist' AND l.key='NetworkServices' AND l.subkey like '%HTTP%Port' AND l.value != '';
which will produce:
+-------+------+------------+------------+
| pid | name | cmdline | local_port |
+-------+------+------------+------------+
| 19821 | nc | nc -l 5555 | 5555 |
+-------+------+------------+------------+
Premkumar R
03/26/2020, 1:00 PMosquery> select pid, name, start_time, cmdline from processes Limit 15;
+-----+----------------+------------+---------+
| pid | name | start_time | cmdline |
+-----+----------------+------------+---------+
| 0 | kernel_task | 1584971117 | |
| 1 | launchd | 1584971117 | |
| 42 | syslogd | 1584971127 | |
| 43 | UserEventAgent | 1584971127 | |
| 45 | sh | 1584971127 | |
| 47 | uninstalled | 1584971127 | |
| 48 | kextd | 1584971127 | |
| 49 | fseventsd | 1584971127 | |
| 51 | jamf | 1584971127 | |
| 52 | vpnagentd | 1584971127 | |
| 57 | appleeventsd | 1584971127 | |
| 58 | systemstats | 1584971127 | |
| 60 | configd | 1584971127 | |
| 62 | ciscod | 1584971127 | |
| 63 | powerd | 1584971127 | |
+-----+----------------+------------+---------+
zwass
sudo osqueryi --disable_events=false --disable_audit=false --audit_allow_sockets=true
and not seeing any results.Jean M
04/18/2020, 2:34 PMSammy
04/24/2020, 3:33 PMnyanshak
04/30/2020, 9:32 PM<some_timestamp>.crash_recovery
log files in /var/audit
.
When the audit system crashes, osquery stops receiving events from process_events
table.
When the system is restarted, process_events
will start going through again, since the audit subsystem is restarted.
1. (for a temporary fix) Is there a way to make the audit subsystem recover without rebooting the machine? The man audit
suggests you should be able to do sudo audit -i
to reinitialize the system. However, on doing this - it doesn't clear out the crash_recovery file, and process_events don't actually start getting processed again, including after restarting osquery.
2. (troubleshooting) Are there any good tools that can parse the audit binary log files? Trying to see if I can find any meaningful leads on why it crashed.
3. Has anyone else run into this and have any suggestions?Hugh (Zercurity)
05/13/2020, 1:10 PMscreenlock
tablebashoneliner
05/28/2020, 1:02 PMprocess_events
table. Like i.e. I cannot see Microsoft Word/Excel or Pages being launched, I do however see some “helper” processes events from things like Slack, Chrome, everything ran from command line etc. I don’t use any filters and just used select * from process_events;
.
However, if I’m crosschecking execve events via Crescendo (https://github.com/SuprHackerSteve/Crescendo), which uses Endpoint Security Framework, I see GUI apps launches in the logs, i.e.
`Event Type: process::exec`
`Process: /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word`
`Pid: 7897 (Parent) -> 1`
`User: xxxxxxxxx`
`Timestamp: 1590670734433`
`Platform Binary: false`
`Signing ID: com.microsoft.Word`
`Props:`
`{`
`action = "ES_AUTH_RESULT_ALLOW";`
`argc = 1;`
`argv = "/Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word ";`
`isplatformbin = false;`
`ppid = 1;`
`signingid = "com.microsoft.Word";`
`size = 39892064;`
`teamid = UBF8T346G9;`
`}`
I’m on osquery 4.3.0 and MacOS 10.15.4 if that helps.Julian Scala
06/09/2020, 5:33 PMSELECT * FROM screenlock
from osqueryi
but when the daemon runs it as scheduled query I get none results?mcantu
06/09/2020, 7:18 PM/etc/security/audit_control
was reverted back to the default on my mac in the past week or so. i suspect this occurred when i updated from 10.15.4 to 10.15.5 (similar to how /var/log/osquery/
gets blown away during incremental upgrades in 10.15). i was curious if this is expected behavior?harveywells
06/17/2020, 2:20 PMallister
06/24/2020, 7:43 AMMike Myers
06/24/2020, 5:06 PMasparamancer
06/24/2020, 6:18 PMtheopolis
fritz
07/31/2020, 2:30 PMblock_devices
returns the label Untitled
for devices that do have names according to Disk Utility:Zhen
08/05/2020, 10:22 PMallister
08/18/2020, 11:08 AMfritz
08/23/2020, 3:38 PMextended_attributes
table to look for where_froms
dataallister
08/24/2020, 2:13 AMmdls
info, likewise if you have santa it can give you the same info (although it would only get logged/scraped when it's an executable being launched, not unpacked from another artifact)Gavin
08/24/2020, 6:33 PMBradley Kemp
08/26/2020, 2:02 PMosqueryi
I see a lot of symlink loop errors so very likely this is bailing out half way, even with the or path like '/Users/%%'
“fix”theopolis
--audit_allow_config
and that will set the right audit rules for process_events
and socket_events
Sammy
09/22/2020, 2:31 PMDallas Bobryk
09/23/2020, 4:06 PMtheopolis
harveywells
09/30/2020, 6:19 PM3.3.2
with Big Sur?ehrhardt
10/07/2020, 1:49 AMrocksdb
and started using ephemeral
for pack results which means the results are not stored anywhere. Does anyone know where this setting configured?asparamancer
10/07/2020, 3:42 AM