https://github.com/osquery/osquery logo
#fleet
Title
# fleet
j

Jason

03/30/2022, 9:22 PM
Hi - Has anyone written any queries for detecting recently logged in users? I'm asking because the "normal" way of detecting SSH keys w/o encryption kind of breaks with network-mounted homes (it tries and fails across 1000s of users)
k

Kathy Satterlee

03/31/2022, 8:09 PM
Hi. @Jason! What's the end goal with that query? Are you wanting to see what users have most recently logged in to a specific host and then use that data to narrow down which users' keys you need to check for encryption?
j

Jason

04/01/2022, 3:21 AM
Its a basic one - looking for unencrypted SSH keys. The problem is if you just look for all keys for users on a system with shared storage, you are doing this check against hundreds (or thousands) of home directories you won't have read access to -- and is also redundant
so I'm really just looking for the SSH keys of the actual users who is using the system (and has their homedir actually mounted with access)
a

Ahmed

09/21/2022, 8:50 PM
@Jason i have that query already added to fleet standard library i think, try to join with ‘last’ table.
j

Jason

09/21/2022, 8:51 PM
Ah. Nice idea.
a

Ahmed

09/21/2022, 8:53 PM
Sorry i was searching for something and saw this old message. And i thought i can help.
I saw that issue in a previous environment where we didn't have notmal users created on the system but they come authenticated from the domain, so here you need to join with the ‘last’ table for any thing related to normal users. Becuse the normal query without this trick will only result data about the service accounts like root, php, puppet, ansible etc
@Jason hopefully that helps.
j

Jason

09/21/2022, 9:10 PM
Absolutely does.
Reminds me of another query I just wrote for web browser versions. I'm querying the web browser version only if the browser is running
So if you have Firefox installed but don't use it, I don't really care much
4 Views