Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

image.png

Hello osquery team :wave:
I am having some trouble with ATC configuration in relation to firefox, my configuration file is as shown below.

My firefox sqlite file is located at `/Users/Dan/Library/Application Support/Firefox/Profiles/iy478cyr.default-release/places.sqlite`
For some reason when I load up osqueryi, I can get results from `chrome_browser_history` but not from `firefox_browser_history` but the error doesn't tell me what the issue is precisely.

Are you passing that ATC config to `osqueryi`? Because it doesn’t look like it in the screenshot…

osqueryi mostly doesn’t connect to the running osqueryd. It’s a totally standalone osquery. So if you want to pass it configuration, you need to do so explicitely

Thanks for question <@U7QP20JQH>, I assume it is getting passed to osqueryi because the ATC config for both chrome and firefox is in the same file, and in my second screenshot I am able to query `chrome_browser_history` from osqueryi. So the file does seem to passed, its just that the firefox table results in an error.

Oh. I see. Yes, I think you’re correct.

Do you get any more with `--verbose`?

Are there any sqlite files on that path, that you can read?

Hey <@U7QP20JQH>, thanks for your suggestion, using `--verbose` I was able to figure out the reason. When firefox runs, it locks the db file (since its writing data to it) and since I had my browser open, it was locking the file.

I assumed that osquery is just getting read access, but I haven't looked into the code that far yet, so I don't know if this is just the firefox app blocking all access, or if osquery asks for read and write access by default as part of its automatic table construction feature. Anyway, thank you so much for your help on this, I really appreciate your help!