Channels
#general
Title
# general
s
slevchenko
12/02/2021, 5:08 PMis there any way to securely store values inside osquery ? For example a list of valid\trusted file sha sums
s
seph
12/03/2021, 4:31 AM
Sorta, but not really.
You can create temp tables, and I think these will last for a bit. But that's not really well quantified.
You can drop this information onto local disk somewhere, and then join against it. What formats depend a bit on the platform -- but sqlite is probably universal.
You can write an extension, Which may provide some info like this
s
slevchenko
12/03/2021, 10:14 AM@seph Process-injection incidents hunting, or "ignore" lists becoming sheer nightmare with dozens of NOT LIKE...., NOT LIKE.... . Is there any way to load sqlite files without need to write own extension ?
Can that be introduced as a feature ? I know there's a curl table which as I understood allows to load data from some remote source.
f
fritz
12/03/2021, 2:01 PM@slevchenko you can utilize cte lookup tables to avoid the
NOT LIKE... AND NOT LIKE... AND NOT LIKEs
slevchenko
12/03/2021, 2:02 PMYup that's what I'm doing now, but queries become huge
f
fritz
12/03/2021, 2:03 PMIf you want to share a snippet of your query I can give it some 👀 and see if there is an opportunity for reducing some of the verbosity. Happy to do so in thread or in DM.
s
slevchenko
12/03/2021, 2:03 PMI hoped in to use
NOT IN table_names
seph
12/03/2021, 2:04 PM
If you have a SQLite file on disk, you can load it as a table. It's in the config file. Look for docs or blog posts about "ATC tables"
☝️ 1
s
slevchenko
12/03/2021, 2:04 PMI have no file just yet, but I'll create it for this purpose
f
fritz
12/03/2021, 2:05 PM@seph's ATC recommendation is definitely a good approach, the only difficulty is ensuring the file exists on disk and is kept up to date.
s
slevchenko
12/03/2021, 2:06 PMI'm creating a daemon which will control its synchronization
s
seph
12/03/2021, 2:06 PM
Understood -- you asked it it could be added, and it's already there. Mostly pricing background. Only real caveat is that you'd need to manage the contents of it out of band.
s
slevchenko
12/03/2021, 2:06 PMYes, if it's already there, it's just fantastic! Just what I needed
f
fritz
12/03/2021, 2:06 PMif you can handle ensuring the sqlite file/db exists on disk and is kept up to date, ATC is definitely the right path
s
slevchenko
12/03/2021, 2:09 PMAha! Thanks folks, that saves me hell load of time
f
fritz
12/03/2021, 2:10 PM👍
ATC is amazing, @obelisk is a legend for adding that capability.
❤️ 1
s
slevchenko
12/03/2021, 2:12 PMSo just to share why I need so many conditions. I'm whitelisting shared library objects, to detect those which might be PUA
and that becomes a pain in a ...back, without an ability to group objects into a table
f
fritz
12/03/2021, 2:15 PMThere are methods for doing this sort of thing all within the query in a way that's reasonably sized.
if you provide an example of 2 or 3 of your conditions, i can show you the approach i take when doing this within query vs referencing an external source/file
s
slevchenko
12/03/2021, 2:20 PMsure, moment
Copy code
SELECT process_memory_map.*, pid as mpid from process_memory_map LEFT JOIN processes USING (pid) WHERE process_memory_map.path LIKE '/%' and process_memory_map.pseudo != 1 AND process_memory_map.path NOT LIKE '/lib/%' AND process_memory_map.path NOT LIKE '/usr/lib%' AND process_memory_map.path NOT LIKE '/snap/%' AND process_memory_map.path NOT LIKE '/usr/local/lib/%' AND process_memory_map.path NOT LIKE '/home/%%/snap/%' AND process_memory_map.path NOT LIKE '/var/lib/snapd/%' AND process_memory_map.path NOT LIKE '/opt/bitnami/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/usr/glibc-compat/%%' AND process_memory_map.path NOT LIKE '/run/user/1000/%%' AND process_memory_map.path NOT LIKE '/memfd:/.glXXXXXX' AND process_memory_map.path != processes.path AND process_memory_map.permissions LIKE '%x%';It actually works, apart from the fact that it's a sheer pain to read 🙂
s
seph
12/04/2021, 3:52 AM
Yeah... I feel like I've been somewhat annoyed that there's no
LIKE IN (...)Oh, I see you have
%%%%%If you want to get really fancy, you could probably use the osquery regex routines.
s
slevchenko
12/06/2021, 1:49 PMThanks, I'll try that too, right after custom sql tables
2 Views