Should I have to do anything special to use an extension tab osquery #general

Join Slack

Should I have to do anything special to use an ext...

# general

HarlanF

02/23/2022, 1:25 AM

Should I have to do anything special to use an extension table in a discovery query for a pack?

HarlanF

02/23/2022, 1:25 AM

I'm getting

Discovery query failed

HarlanF

02/23/2022, 1:26 AM

Interactively, with osqueryi, that table's there. And yeah, it's definitely one of the enabled tables.

alessandrogario

02/23/2022, 1:52 PM

Can you try with --verbose to make sure the table is actually there? There are some differences in the sanity checks of osqueryd vs osqueryi

HarlanF

02/23/2022, 2:12 PM

Put --verbose in the flags file?

alessandrogario

02/23/2022, 2:13 PM

Yes, that will print additional debugging information that could help diagnose the problem

HarlanF

02/23/2022, 2:52 PM

Okay, so , in order (and skipping things that don't seem relevant): 1. Found autoloadable extension: <the relevant one> 2. Executing watcher 3. Created and monitoring child (13347) for the relevant extension 4. osquery worker initialized 5. Adding new service: extensionwatcher 6. Extension manager service starting 7. Discovery failed ... no such table 8. Registering extension (relevant one)

HarlanF

02/23/2022, 2:53 PM

So I'm theorizing that #8 needs to come before #7. Is there a way to influence that timing?

alessandrogario

02/23/2022, 3:30 PM

you can use --extensions_require=plugin_name

alessandrogario

02/23/2022, 3:33 PM

This will cause osquery to wait for the extension to come online during startup

HarlanF

02/23/2022, 3:37 PM

Thanks so much for the help; trying that, will let you know.

HarlanF

02/23/2022, 3:44 PM

Yeah, seems to have done the trick. By the way, I was trying to read up on the other extensions flags, and couldn't make sense of what they actually did in the documentation. Any ideas about

--extensions_interval

and

--extensions_timeout

alessandrogario

02/23/2022, 3:48 PM

Extensions are processes that communicate with osquery via Thrift; the --extensions_interval is passed down to extensions when osquery starts them as

--interval value

, and it's a connectivity check performed client side

alessandrogario

02/23/2022, 3:48 PM

the

--extensions_timeout

is consumed by osquery itself, and is used to determine how long before a client (extension) is to be considered offline

HarlanF

02/23/2022, 6:28 PM

Oh, thanks! I'm getting a "Discovery query failed", and looking at the source:

Copy code

for (const auto& q : discovery_queries_) {
  SQL results(q);
  if (!results.ok()) {
    LOG(WARNING) << "Discovery query failed (" << q
                 << "): " << results.getMessageString();
    discovery_cache_.second = false;
    break;
  }
  if (results.rows().size() == 0) {
    discovery_cache_.second = false;
    break;
  }
}
return discovery_cache_.second;

HarlanF

02/23/2022, 6:29 PM

Does it seem like "Discovery query failed" is indicating that there was something wrong with the execution, as opposed to "didn't return any results"?

HarlanF

02/23/2022, 6:30 PM

Seems that way to me, and the second if() in the above snippet governs results being nil

16 Views

Open in Slack

Previous Next