-disable_audit=false by default this is set to true and prevents osquery from opening the kernel audit's netlink socket.
These flags can be set at the command line or placed into the osquery.flags file. To better understand how this works, let's walk through 4 configuration options. Osquery only uses the audit features that exist in the kernel.Ī sample log entry from process_events may look something like this:
#Use osquery to check audit logging policy install
There is no requirement to install auditd or libaudit. Most kernels over version 2.6 have this capability. The only prerequisite for using osquery's auditing functionality on Linux is that you must use a kernel version that contains the Audit functionality. You should also ensure auditd is not configured to start at boot. auditd should not be running when using osquery's process auditing, as it will conflict with osqueryd over access to the audit netlink socket. It accomplishes this by monitoring syscalls such as execve() and execveat(). On Linux, osquery can the Audit system to collect and process events. + -+-+-+-+-+-+-+ Linux process auditing using Audit | yara_events | fsevents | subscriber | 0 | 0 | 0 | 1 | | user_interaction_events | event_tapping | subscriber | 1 | 0 | 0 | 1 | | user_events | openbsm | subscriber | 1 | 0 | 0 | 1 | | process_events | openbsm | subscriber | 8 | 0 | 0 | 1 | | hardware_events | iokit | subscriber | 1 | 0 | 0 | 1 | | file_events | fsevents | subscriber | 0 | 0 | 0 | 1 | | disk_events | diskarbitration | subscriber | 1 | 0 | 0 | 1 | | scnetwork | scnetwork | publisher | 0 | 0 | 0 | 0 | | openbsm | openbsm | publisher | 9 | 0 | 0 | 0 | | iokit | iokit | publisher | 1 | 0 | 0 | 1 | | fsevents | fsevents | publisher | 0 | 0 | 24 | 1 | | event_tapping | event_tapping | publisher | 1 | 0 | 0 | 0 | | diskarbitration | diskarbitration | publisher | 1 | 0 | 0 | 1 | | name | publisher | type | subscriptions | events | refreshes | active | In how the OS auditing side is configured. If it remains at zero, the problem is likely You should try triggering an event, and then confirming that
This example is from a macOS machine with events enabled, but noĮvents. Osquery keeps state about the events subsystem in the osquery_events | disable_events | bool | Disable osquery publish /subscribe system | false | false | 0 | | disable_audit | bool | Disable receiving events from the audit subsystem | true | false | 0 | | name | type | description | default_value | value | shell_only |
Osquery > select * from osquery_flags where name in ( "disable_events ", "disable_audit ") To collect process events, you would add a query like the following to your query schedule, or to a query pack: To read more about how event-based tables are created and designed, check out the osquery Table Pubsub Framework.īecause different platforms have different choices for collecting real-time event data, osquery has multiple tables to present this information depending on the source and platform: Event type Although these auditing features are extremely powerful for recording the activity from a host, they may introduce additional CPU overhead and greatly increase the number of log events generated by osquery. osquery can leverage either BPF, Audit, OpenBSM or EndpointSecurity subsystems to record process executions and network connections in near real-time on Linux and macOS systems. Enabling these auditing features requires additional configuration of osquery.
0 kommentar(er)
