Hi guys Does anybody meet the problem with chrome extensions osquery #general

Hi guys, Does anybody meet the problem with chrom...

Denis

11/12/2024, 5:41 PM

Hi guys, Does anybody meet the problem with chrome_extensions and firefox_addons tables in osquery as a live-query? If I make request this from Fleet as a live-query I get only empty answer, but if I make this through the osqueryi - everything is OK. OS: macos and linux I don't know what I do wrong... But if I make a request e.g. osquery_info table from Fleet as a live-query - all is good. Thanks in advance.

11/12/2024, 5:51 PM

can you share your query? This works fine for me as a live query from fleet:

Copy code

SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);

11/12/2024, 5:52 PM

if you are just trying

select * from chrome_extensions;

it will not work

Denis

11/12/2024, 6:52 PM

Wow! Thanks! 🫶 But why simple request isn't working on the Fleet? But in the osqueryi is working.

Denis

11/12/2024, 6:54 PM

Ohh, I think I understand, because osquery don't know about which user I wanna ask him...

Stefano Bonicatti

11/12/2024, 7:01 PM

When running as root osquery does not assume the user you want to use. You should be seeing these warnings in the osquery logs on Fleet:

Copy code

W1112 20:00:11.824399 28544832 virtual_table.cpp:1006] The firefox_addons table returns data based on the current user by default, consider JOINing against the users table
W1112 20:00:11.825672 28544832 virtual_table.cpp:1023] Please see the table documentation: <https://osquery.io/schema/#firefox_addons>

Stefano Bonicatti

11/12/2024, 7:01 PM

The same are displayed if you run

osqueryi

as root locally

Denis

11/12/2024, 7:02 PM

Thank you so much guys! This is my bad.

14 Views

Open in Slack

Previous Next