https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
z

Zach Zeid

08/06/2020, 6:25 PM
general question: There isn't really a way for osquery to read a file, correct?
s

seph

08/06/2020, 6:30 PM
Generally no. It’s a loose design goal to avoid that. There are some exceptions: 1. the carver 2. plist files 3. augeas may provide access 4. others??? And, of course, various extensions
ATC tables is another. (This is conf option to make a table from any sqlite file on disk)
z

Zach Zeid

08/06/2020, 6:31 PM
I never heard of Augeas, is that built-into osquery? I didn't think the carver read contents of a file, so much as the contents of a directory.
specially looking outside of 
.plist
files, and was wondering if functionality was there out of box.
s

Stefano Bonicatti

08/06/2020, 6:34 PM
You mean though, arbitrarily read a file? Because everything in osquery read files, what changes is what we display and the control you have to decide which files are read
z

Zach Zeid

08/06/2020, 6:43 PM
not arbirtarily, but given a file path, yes read it
augeas seems to work for specific files
not sure how carver would, but i am looking into it more.
f

fritz

08/06/2020, 6:44 PM
@Zach Zeid arbitrary file read is explicitly avoided where possible
carver allows downloading a given file
s

seph

08/06/2020, 6:45 PM
augeus is a 3rd party lib that will parse a file according to a “lens”. You can feed lenses arbitrary files. but they might not parse. There is, at least one. lens that allows arbitrary text file parsing. Whether you have those installed on your machines or not I don’t know
f

fritz

08/06/2020, 6:45 PM
seph outlined the majority of point to a path and read its contents cases
s

seph

08/06/2020, 6:46 PM
carver is built into osquery but requires fairly specific server support. It’s not a simple live query
yara probably also allows some arbitrary file reads, whether or not you have an installed yara rule is unknown
z

Zach Zeid

08/06/2020, 7:04 PM
hmm, how come with 
augeas
it doesn't read the 
/home/
directory?
This is odd
Copy code
sudo osqueryi "select * from augeas where label = 'key' and path like '%/%/.ssh/authorized_keys';" --json
will print out the authorized_keys in my home directory on my macbook, but on a centos7 ec2 instance, it doesn't.
Looking at the Authorized_Keys.ag file, it should be getting everything under ~/.ssh/authorized_keys. Is this a limitation of osquery?
s

seph

08/07/2020, 12:59 PM
I don't use augeas, I can't quickly speak to whether there's a bug or a misusage in your sql.
If you want authorized keys, there's a table for that.
But I don't know what you're looking for -- this started with a very broad exploration (which is cool) but seems to have ended up with a specific question.
z

Zach Zeid

08/07/2020, 1:08 PM
facepalm I should've began w/ my use case, instead of asking "can osquery read files." and going from there.
Thanks for un-derping me.
s

seph

08/07/2020, 2:00 PM
Arbitrary file read is also a common question. But, yeah. :)
z

Zach Zeid

08/07/2020, 2:01 PM
I can see how arbitrary file read is a dangerous situation for data exfil too
good to be more cautious than not 😄
4 Views
Powered by