Bit of a strange one but I was wondering if anyone has encou osquery #general

Bit of a strange one, but I was wondering if anyon...

Peter

05/03/2023, 8:54 PM

Bit of a strange one, but I was wondering if anyone has encountered this before. I’m running osquery 5.8.2 in my development environment. Any assistance or pointers would be greatly appreciated 😄 If I run osquery with a set of

load

decorators for collecting metadata from the cloudy clouds (AWS IMDS, and Azure friends), but these services are not accessible due to running on a local virtual machine during development, I have all sorts of trouble with I/O timeouts between osquery and my extension. However, If I remove the

ec2_instance_metadata

decorator and re-run, the extension loads and works reliably. I’m a little at a loss as to why this may be, but I have a feeling it may be something to do with the IMDSv2 implementation based on the error messages 🧵

Peter

05/03/2023, 8:59 PM

I’ve uploaded the

--verbose

logs when loading osquery via

osqueryi

and with the relevant

load

decorators enabled, and then disable (there are two log entries in this paste, with the

load

directives listed just prior to each): https://pastebin.com/LvsUe7bS

seph

05/04/2023, 8:21 PM

It’s a. It if a guess, but parts of osquery are single threaded. I wonder if the timing out in the coins stuff is causing osquery to drop thrift connection stuff and the socket ends up a mess

Peter

05/05/2023, 2:42 PM

Thanks for the note! I’ll dig in to the code next week and see what I can find 🙂

3 Views

Open in Slack

Previous Next