Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OSQuery #318

Merged
merged 4 commits into from
Feb 5, 2025
Merged

Add OSQuery #318

merged 4 commits into from
Feb 5, 2025

Conversation

SolitudePy
Copy link

Hello, this PR includes 2 commits:

  • OSQuery stripped binary version 5.15 which is included as part of the original osquery rpm package, binary size is about 82MB which is close to Github file size limit.
  • osquery/osquery.yaml artifact, 17 custom queries relevant to linux live response, it is outputting in json format(there is also csv, json_pretty which can be customized pretty easily be the end user)

I tested it on RHEL 8.6 and it worked fine, finished executing after 13 seconds, the size of the output files was about 3.2MB unzipped.

I suppose I should add few documentations, credits to OSQuery et cetera, but I'm not quite sure where, I would like to with your guidance, thanks!

@Pierre-Gronau-ndaal
Copy link
Contributor

is it right that your binary is supporting only 64 bit on x86 ?

https://github.com/osquery/osquery/releases

@SolitudePy
Copy link
Author

@Pierre-Gronau-ndaal it is not my binary, but from what I've seen it supports arm as well

@Pierre-Gronau-ndaal
Copy link
Contributor

@Pierre-Gronau-ndaal it is not my binary, but from what I've seen it supports arm as well

according to Releases they offer arm as well - mmh

@tclahr
Copy link
Owner

tclahr commented Feb 3, 2025

Thank you for this contribution! It looks great, but before merging, I need to run some tests.

One concern is the inclusion of the osqueryi binary, as it would significantly increase the package size. A key feature of UAC is its portability, allowing it to run on various environments, including IoT and network devices, which often have limited storage capacity. Even NetScaler can face storage constraints.

To maintain UAC’s portability, I believe the best approach would be to provide the YAML file while allowing users to manually place osqueryi in the bin directory as needed.

Let me know your thoughts!

@SolitudePy
Copy link
Author

@tclahr well you could include it in a release and then the user may choose if they include the binary or not, both options sounds fine although letting the user decide is always the best(ofcourse they need to fully understand the tool capabilities)

@Pierre-Gronau-ndaal
Copy link
Contributor

I like this approach as well because it gives the user the capability binaries inject rfering to specific platform like x86 or arm without blowing the size

tclahr and others added 2 commits February 4, 2025 08:09
@tclahr
Merge branch 'develop' into add-osquery
84159d6
@tclahr
refactor: add changelog and update profiles
a3f2c70 
Add changes to changelog and update full and ir_profile to run new artifact.
Remove osqueryi binary.
@tclahr tclahr merged commit 58386a1 into tclahr:develop Feb 5, 2025
2 checks passed
@SolitudePy SolitudePy deleted the add-osquery branch February 7, 2025 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SolitudePy @Pierre-Gronau-ndaal @tclahr