Skip to content

NickBorgers/osquery-container-dependency-scanning

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
find_openssl_vulnerability.fancy.distinct.sql
find_openssl_vulnerability.fancy.distinct.sql
 
 
find_openssl_vulnerability.fancy.groupby.sql
find_openssl_vulnerability.fancy.groupby.sql
 
 
find_openssl_vulnerability.fancy.sql
find_openssl_vulnerability.fancy.sql
 
 
find_openssl_vulnerability.fancy.wrapped.base.sql
find_openssl_vulnerability.fancy.wrapped.base.sql
 
 
find_openssl_vulnerability.fancy.wrapped.distinct.sql
find_openssl_vulnerability.fancy.wrapped.distinct.sql
 
 
find_openssl_vulnerability.fancy.wrapped.groupby.sql
find_openssl_vulnerability.fancy.wrapped.groupby.sql
 
 
find_openssl_vulnerability.fancy.wrapped.limit.sql
find_openssl_vulnerability.fancy.wrapped.limit.sql
 
 
find_openssl_vulnerability.fancy.wrapped.orderby.sql
find_openssl_vulnerability.fancy.wrapped.orderby.sql
 
 
find_openssl_vulnerability.sql
find_openssl_vulnerability.sql
 
 
get_osquery_binary.Dockerfile
get_osquery_binary.Dockerfile
 
 
get_osquery_binary.sh
get_osquery_binary.sh
 
 

Repository files navigation

osquery Container Dependency Scanning

This repo contains queries for a blog post I'm working on about finding vulnerable dependencies (with a known signature) in running processes inside of container images. This is a capability which was recently added to osquery.

Run this

This repo should be clone-and-run provided you have:

  • Cloned this to a Linux host (doesn't work with Docker Desktop)
  • Docker
  • GNU Make

Specifically: you should be able to clone and then run make and see the output in Current Output.

Current Output (with duplicates)

The query in this file works just fine, but has duplicates as you can see below.

A duplicate is a repeated combination of the 3-tuple of container_image, executable and dependency.

There should only be single entry below for: <blank, /usr/sbin/sshd, /usr/lib64/libcrypto.so.3.0.8 But instead there are 4.

+-------------------------------------+-----------------------------------+----------------------------------------------------------------------------+
| container_image                     | executable                        | dependency                                                                 |
+-------------------------------------+-----------------------------------+----------------------------------------------------------------------------+
|                                     | /usr/lib/systemd/systemd          | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/sshd                    | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/sshd                    | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/sshd                    | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/sshd                    | /usr/lib64/libcrypto.so.3.0.8                                              |
| clojure:temurin-17-lein-2.9.8-jammy | /usr/bin/openssl                  | /usr/bin/openssl                                                           |
| clojure:temurin-17-lein-2.9.8-jammy | /usr/bin/openssl                  | /usr/lib/x86_64-linux-gnu/libcrypto.so.3                                   |
|                                     | /usr/lib/systemd/systemd-userwork | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-userwork | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-userwork | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/sudo                     | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-journald | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/udevadm                  | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-oomd     | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-resolved | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-userdbd  | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/auditd                  | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd          | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd          | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/lib/systemd/systemd-logind   | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/abrtd                   | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/abrt-dump-journal-core   | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/abrt-dump-journal-oops   | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/abrt-dump-journal-xorg   | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/python3.11               | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/bin/python3.11               | /usr/lib64/python3.11/lib-dynload/_hashlib.cpython-311-x86_64-linux-gnu.so |
|                                     | /usr/sbin/NetworkManager          | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/NetworkManager          | /usr/lib64/libssh.so.4.9.4                                                 |
|                                     | /usr/sbin/sshd                    | /usr/lib64/libcrypto.so.3.0.8                                              |
|                                     | /usr/sbin/gssproxy                | /usr/lib64/libcrypto.so.3.0.8                                              |
+-------------------------------------+-----------------------------------+----------------------------------------------------------------------------+

I have tried several attempts at solving this:

  • DISTINCT
  • GROUP BY However these queries are invalid because they violate a constraint for the yara table.

So, I tried wrapping them (on suggestion of a colleague) creating:

It seems particularly weird that ORDER BY breaks the query and LIMIT does not as they're in the same part of the processing (outside the wrapped query) per this SQLite documentation.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages