Hi 👋 I’ve got the following question: Say, we have some devices (Mac OS) which are online for several hours then goes offline then again turned on etc. As I got it, osquery resets its inner timer every time after it (even if device has been put to sleep, hibernated) and some queries with high interval will never launch. Right? If so, is there any workarounds to make such queries run except reducing interval itself as it causes an increase of events?..

The timer should be cumulative.

@seph how can I set cumulative timer for a query?

The timer for queries is cumulative based on osquery runtime. It should not reset on boot

@seph I asked the wrong question because I didn’t understand how timer works. Now I got you, sorry for stupid question 🙂 thanks a lot!

No need to apologize. We all start somewhere 🙂

Yes, I’m asking only about the query scheduler. I want to understand the following: I added a query with interval of 24h. This query was scheduled by osquery. Several hours later the device is rebooted, on boot osquery starts and gets the query from kolide again. We need to wait 24h from the beginning? Or it would resume from the point where the device were restarted? Several hours later a user on the device could restart osquery (osqueryctl restart), osquery starts and gets the query from kolide again. Would it resume from the point where osquery was restarted or it starts from the very beginning? PS. I definitely has some problems with posing questions 🙂

the osquery schedule should work off the cumulative osquery runtime. Neither computer restarts, nor osquery restarts should matter.

@seph thanks for your patience and your answer! 😄

np

Also keep in mind osquery makes minor adjustments to schedule intervals, called a “splay” value. This is similar to splaying in chef and other tools that may be effecting large numbers of hosts. The default is to splay up to 10% of the interval value plus or minus. That prevents all of your machines from executing the same query at the same time, as well as executing all 24h interval queries at the same time.

@theopolis ok 👍 thanks

When you say cron, having osquery run something ever N seconds by the clock? What would happen if the machine was asleep?

But is there any setting to make osquery run a query on startup? I e osquery starts and run queries once?

I do not think this really exists but several folks have asked for it. I think we could support it with a new feature

{
  "query": "select * from TABLE_NAME",
  "startup": true
}

Get’s weird if you think about diff queries.

I realised that running queries by cron is unnecessary cuz running by interval is enough. Running on startup could be helpful for us. I understand that it might be costly and possibly causes some problems. If it gets more realistic to implement it, that would great! 👍 thanks

Can you tell me about the use case? Is it a lot of queries, or a few? Is it the scheduled queries, and you want them earlier, or something else? One of the decorator queries can run on startup, is that what you're looking for?

When I set queries (in my case, snapshots) to be run with interval of 4h (for example), we have to wait for 4h of osquery runtime which may expand to more hours if the user turns off its device or put it to sleep. Our security controls are based on those queries. If we have no results from osquery for some time we consider it as a defect and notify the users about this problem. We have been facing the before mentioned situation where we have no idea if a device is secured with correspondance to our requirments or not for long time. reducing the query intervals is not possible for us as it leads to sufficient increase of logs. And if there startup queries has been, we could solve this issue probably

That’s a good perspective to hear.

Yes, we use Kolide as the TLS server. Distributed queries are nice possibility but in our case my colleagues which are engaged in defining defects (security requirements violated) are analysing them in a different system. After a query was set, its results via syslog would be loaded to our SIEM system where there are different scheduled searches/alerts for that. They (my colleagues) have no access to Kolide Web UI as in Kolide there isn’t appropriate RBAC and they would have more privileges than we wish them had. Can you please clarify how decorators could help us to do something like this? We use decorators, our use case is adding ip address of the device to each query to make correlation easier. As I understand decorators are the wrap-up “queries” which are run for every query at all. Am I right? If so, that’s gonna overwhelm us with logs... Also, as you can guess, users don’t apply security settings themselves. We have separate teams of people who are engaged in it. After some security settings were applied we want to check if it was done correctly. Usually for this purpose we have those osquery queries (controls). Taking away the personal device from a user for 4h is inappropriate for us, we are trying to return it asap. If the device was returned before my colleagues make sure everything is correct with the help of their searches in SIEM, it might turn out that something was done wrong and works (applying security settings) are required again. Frequently it is not an easy task because we make it impossible for users to keep working, or users have to get to the office again (no vpn access to that device). Therefore if there has been startup queries, we could trigger osquery to run them by restarting osquery. Logs could be delivered to our SIEM system faster.

picking things apart…

^^ Macear our entire platform is enabling communication between the security team and the end-users (which seems to be a key goal for you). If you use Slack at work you should check it out at kolide.com .

The idea with using CI sounds ok, I will think it over. Thanks again. Also we will think about SaaS, need to estimate all pros and cons 👍