This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
logo

Query Exchange

Built off the open source project Osquery

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Follow the latest information and updates available on the FireEye and SolarWinds situations here.

Linux and macOS X login information

Status: Approved Submitted by on ‎02-27-2020 12:01 PM

Description: Linux and macOS X login information

Source: https://medium.com/@zercurity/building-atop-osquery-compliance-monitoring-threat-hunting-and-auditin...

What the Data Shows: The last table in Osquery provides login and logout events for Linux and Mac OS X systems whilst providing the process id and the connecting host.

SQL: The following query joins the processes table to get the entry process name showing all sessions with a host identifier.

 
SELECT username,
                CASE type WHEN 0 THEN "EMPTY"
                    WHEN 1 THEN "RUN_LVL"
                    WHEN 2 THEN "BOOT_TIME"
                    WHEN 3 THEN "NEW_TIME"
                    WHEN 4 THEN "OLD_TIME"
                    WHEN 5 THEN "INIT_PROCESS"
                    WHEN 6 THEN "LOGIN_PROCESS"
                    WHEN 7 THEN "USER_PROCESS"
                    WHEN 8 THEN "DEAD_PROCESS"
                    WHEN 9 THEN "ACCOUNTING"
                END AS type,
                p.name AS process,
                DATETIME(time, 'unixepoch') AS datetime,
                host
FROM last AS l
LEFT JOIN processes AS p
    ON p.pid = l.pid
WHERE host <> ''
    AND host NOT LIKE ':pts%'
ORDER BY time DESC;
 
 
 

You can modify this query further to grab only external IP addresses.

AND host NOT IN (':1', '127.0.0.1')

 

Comment
3 Comments
jnelson
Carbon Black Employee
‎03-13-2020 07:29 AM
‎03-13-2020 07:29 AM
Status changed to: Under Review

Nice query @stympanick!

I would like to offer a suggestion that converts the type field to a human readable format. Would you consider modifying your query to:

SELECT username,
                CASE type WHEN 0 THEN "EMPTY"
                    WHEN 1 THEN "RUN_LVL"
                    WHEN 2 THEN "BOOT_TIME"
                    WHEN 3 THEN "NEW_TIME"
                    WHEN 4 THEN "OLD_TIME"
                    WHEN 5 THEN "INIT_PROCESS"
                    WHEN 6 THEN "LOGIN_PROCESS"
                    WHEN 7 THEN "USER_PROCESS"
                    WHEN 8 THEN "DEAD_PROCESS"
                    WHEN 9 THEN "ACCOUNTING"
                END AS type,
                p.name AS process,
                DATETIME(time, 'unixepoch') AS datetime,
                host
FROM last AS l
LEFT JOIN processes AS p
    ON p.pid = l.pid
WHERE host <> ''
    AND host NOT LIKE ':pts%'
ORDER BY time DESC;
jnelson
Carbon Black Employee
‎04-08-2020 08:09 AM
‎04-08-2020 08:09 AM
Status changed to: Approved
 
da878t
New Contributor II
‎05-20-2020 09:38 AM
‎05-20-2020 09:38 AM

Hello @stympanick, I ran this query against our MacOS devices but it did not return any matches. Result = not_matched. Any idea why this would be the case?

logo