• theopolis

    theopolis

    2 years ago
    I wish I could answer your question specifically but I've never seen that error. I'm not at a computer right now so I cannot provide examples, but I wanted to ask a set of standard audit questions like the output of the audit control summary, if any other audit-related processes were running, what your osquery config looks like (maybe more questions I cannot remember right now).
  • Then I thought, "we should really have a 'run these 4 commands' to help us debug audit problems as a group" in the documentation.
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    @theopolis sorry for the delay
  • the osquery configuration
  • //
    // Ansible managed
    //
    {
      // Configure the daemon below:
      "options": {
        // Select the osquery config plugin.
        "config_plugin": "filesystem",
    
        // Select the osquery logging plugin.
        "logger_plugin": "syslog",
    
        // The log directory stores info, warning, and errors.
        // If the daemon uses the 'filesystem' logging retriever then the log_dir
        // will also contain the query results.
        "logger_path": "/var/log/osquery",
    
        // Set 'disable_logging' to true to prevent writing any info, warning, error
        // logs. If a logging plugin is selected it will still write query results.
        "disable_logging": "False",
    
        // Query differential results are logged as change-events to assist log
        // aggregation operations like searching and transactons.
        // Set 'log_results_events' to log differentials as transactions.
        //"log_result_events": "true",
    
        // Splay the scheduled interval for queries.
        // This is very helpful to prevent system performance impact when scheduling
        // large numbers of queries that run a smaller or similar intervals.
        "schedule_splay_percent": "10",
    
        // Write the pid of the osqueryd process to a pidfile/mutex.
        //"pidfile": "/var/osquery/osquery.pidfile",
    
        // Clear events from the osquery backing store after a number of seconds.
        "events_expiry": "1",
    
        // A filesystem path for disk-based backing storage used for events and
        // query results differentials. See also 'use_in_memory_database'.
        "database_path": "/var/osquery/osquery.db",
    
        // Comma-delimited list of table names to be disabled.
        // This allows osquery to be launched without certain tables.
        //"disable_tables": "foo_bar,time",
    
        // Enable debug or verbose debug output when logging.
        "verbose": "True",
    
        // The number of threads for concurrent query schedule execution.
        "worker_threads": "2",
    
        // Enable OS eventing publish subscribe APIs.
        "disable_events": "False",
    
        // Enable OS auditing
        "disable_audit": "false",
        "audit_allow_config": "true",
        "audit_allow_process_events": "true",
        "audit_allow_sockets": "true",
    
        "logger_snapshot_event_type": "True"
      },
    
      // Define a schedule of queries:
      "schedule": {
        // This is a simple example query that outputs basic system information.
        "system_info": {
          // The exact query to run.
          "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
          // The interval in seconds to run this query, not an exact interval.
          "interval": 3600
        },
        "fim" : {
          "query": "select * from file_events;",
          "removed": false,
          "interval": 300
        },
    
        "process_events":{
          "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
          "interval": 300
        },
        "socket_events":{
          "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
          "interval": 300
        }
      },
    
      "file_paths": {
        "homes_sshdir": [
          "/root/.ssh/%%",
          "/home/%/.ssh/%%"
        ],
        "bin": [
          "/bin/%%",
          "/sbin/%%",
          "/usr/bin/%%",
          "/usr/sbin/%%",
          "/usr/local/bin/%%",
          "/usr/local/sbin/%%"
        ],
        "boot": [
          "/boot/%%"
        ],
        "lost+found": [
          "/lost+found/%"
        ],
        "roothome": [
          "/root/%%"
        ]
      },
    // very noisy, <https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/#file-accesses>
    //  "file_accesses": ["etc", "root"]
      "exclude_paths": {
        "tmp": [
          "/tmp/too_many_events/"
        ]
      },
    
      // Decorators are normal queries that append data to every query.
      "decorators": {
        "load": [
          "SELECT uuid AS host_uuid FROM system_info;",
          "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
        ]
      },
    
      // Add default osquery packs or install your own.
      //
      // There are several 'default' packs installed with 'make install' or via
      // packages and/or Homebrew.
      //
      // Linux:        /usr/share/osquery/packs
      // OS X:         /var/osquery/packs
      // Homebrew:     /usr/local/share/osquery/packs
      // make install: {PREFIX}/share/osquery/packs
      //
      "packs": {
    //    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    //    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    //    "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
    //    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    //    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
    //    "osquery-custom-pack": "/usr/share/osquery/packs/osquery-custom-pack.conf",
    //    "osquery-snapshots-pack": "/usr/share/osquery/packs/osquery-snapshots-pack.conf",
    //    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
      }
    }
  • flags
  • #
    # Ansible managed
    #
    --pidfile=/var/run/osqueryd.pid
    --logger_event_type=true
    --disable_watchdog=true
    --watchdog_memory_limit=512
    --watchdog_utilization_limit=300
    --watchdog_delay=300
    --events_max=50000
    --utc=true
    #--disable_audit=false
    #--audit_allow_config=true
    #--audit_allow_process_events=true
    --audit_persist=true
    --audit_debug=true
    --logger_syslog_facility=19
    --docker_socket=/var/run/docker.sock
  • auditd rules
  • -a never,exit -S all -F auid<100
    -a never,exit -S all -F uid<100
    -a never,exclude -F msgtype=CWD
    -a never,exclude -F msgtype=USER_ACCT
    -a never,exclude -F msgtype=CONFIG_CHANGE
    -a never,exclude -F msgtype=SERVICE_START
    -a never,exclude -F msgtype=SERVICE_STOP
    -a never,exclude -F msgtype=PROCTITLE
  • for now, osquery audit rules are not there but when activate osquery audit configuration they are
  • auditd status
  • enabled 0
    failure 1
    pid 0
    rate_limit 0
    backlog_limit 0
    lost 3155249
    backlog 0
    backlog_wait_time 60000
    loginuid_immutable 0 unlocked
  • im using a ansible role which use this system configuration for runnning osquery
  • [Service]
    # Add delay at restart for rocksdb backend
    RestartSec=10
    # Hardened options for osquery systemd
    NoNewPrivileges=yes
    PrivateTmp=true
    ProtectHome=read-only
    ProtectSystem=full
    RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
    SystemCallFilter=futex mprotect read write open openat close stat fstat lstat lseek mmap munmap brk rt_sigaction rt_sigprocmask rt_sigreturn access alarm socket connect sendto clone execve unlink chmod getrlimit setpriority arch_prctl set_tid_address ioprio_set set_robust_list getcwd readlink fcntl wait4 getdents tgkill mkdir pread64 uname fdatasync madvise symlink fadvise64 readahead ioctl fallocate rename fsync socketpair sysinfo getsockname ftruncate inotify_init setsockopt flock inotify_add_watch poll bind shutdown statfs newfstatat _sysctl getuid getgid getpid geteuid getegid getppid prctl gettid nanosleep
  • if i use it, i got two problems: • No auditd configuration • No osqueryd result querys in log
  • @theopolis i found the problem here. the configuration of auditd, the parama rate_limit was configurated to 0, i changed it to 1000 and now it goes more slowly, to 100% of CPU