https://github.com/osquery/osquery logo
#linux
Title
# linux
j

julient

09/26/2021, 1:48 PM
I have the following query in my scheduled ones: "select authorized_keys.* from users join authorized_keys using (uid);" Problem, it creates a spam of warning messages for all users where no such file exists "Cannot open file for reading: /.ssh/authorized_keys2" Is there a way to make query not doing this warning or to silent the corresponding log pattern? spamming log for no reason Following https://defensivedepth.com/2019/02/21/osquery-join-with-users-table-not-returning-results/, I tried "select authorized_keys.* from users cross join authorized_keys using (uid);" but same results "select authorized_keys.* from authorized_keys;" only get warning for user who have one file but not the other (authorized_keys2 vs authorized_keys) Thanks
s

seph

09/27/2021, 12:14 AM
That error comes because osquery tries to open the file for every users homedir. (In your cross query). 1. Someone just opened a PR to reduce this logging. https://github.com/osquery/osquery/pull/7318 1. You’re quoted error is
reading: /.ssh/authorized_keys2
which is an odd path. I’d expect that to start with a homedir. Do you have a lot of users with
/
as their homedir? I’d expect that of root, but that should be a single line. Might indicated a cross join, when you want a left join. 1. You might be able to do something tricky with the file table, to detect if the file is present. But I suspect cumbersome.
j

julient

09/27/2021, 5:49 PM
Thanks. seems right timing per 1. On 2, yes, example from system where root homedir to /. the cannot open repeat itself. the file path is unique per user but repeat per frequency of scheduled query. no issue there. 3. prefer the solution of 1. hopefully, it will make it for next release.
16 Views