Title
#linux
r

Robin Powell

09/24/2021, 6:43 PM
I'm trying to understand https://github.com/osquery/osquery/pull/7132 and its impact better; I have easy access to 4.9.0 in my environment but not 5.0, so, can someone give me an example of a query with
pid_with_namespace
query that'll actually work on 4.9? Like I think I want something like
select * from deb_packages where pid_with_namespace=???
, where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.
6:44 PM
select * from deb_packages where pid_with_namespace=15934;
, where 15934 is the PID of a container process, did not work for me; no output at all.
6:45 PM
osquery> select * from deb_packages where pid_with_namespace=4026533189;
E0924 18:03:15.583657 13777 linux_table_container_ipc.cpp:125] Container worker of table deb_packages exited with exit status: 1
E0924 18:03:15.583695 13777 linux_table_container_ipc.cpp:443] Table deb_packages failed to retrieve QueryData from the container: Pipe to the table deb_packages closed while reading
, where 4026533189 is the pid namespace id of said container, also doesn't work but in a far more interesting way.
6:46 PM
If there's documentation for this somewhere, that would be fantastic. 😃
Stefano Bonicatti

Stefano Bonicatti

09/24/2021, 6:51 PM
Hi! the
pid_with_namespace
should indeed be compared against a pid that is running inside the container namespace
6:53 PM
If there's no output, either there wasn't anything to return or maybe some low level error happened. Have you tried running with
--verbose
? Btw osquery should run as root, and to get a pid to test, if the container is Docker, you could use the
docker_containers
table and its
pid
column.
r

Robin Powell

09/24/2021, 7:02 PM
Huh. I was assuming that only osqueryd needed to be running as root, but yeah, running osqueryi as root did the trick, thanks!
Stefano Bonicatti

Stefano Bonicatti

09/24/2021, 7:04 PM
osqueryi is just a symlink to osqueryd, they are the same
r

Robin Powell

09/24/2021, 7:06 PM
I'm in this weird place of having recentlly moved to a team that manages Apple's internal osquery but having not previously used it as a user, so like I've read a ton of the osquery code but I don't actually understand a lot of the basics. 😄
7:06 PM
Ah, see, I assumed osqueryi was talking to the running osqueryd.
Stefano Bonicatti

Stefano Bonicatti

09/24/2021, 7:06 PM
it's a trick where osqueryd reads how it has been launched and if it's has been launched as
osqueryi
it shows the shell.
osqueryd -S
is another way to get the shell. So it's all the same binary that needs those permissions 🙂
r

Robin Powell

09/24/2021, 7:06 PM
Got it, thanks.
7:50 PM
Can you confirm that if I don't specify
pid_with_namespace
, it's not going to try to talk to containers when I just do a normal query from one of these tables? I've looked at the code and I'd place money that that's correct, that it only talks into containners when
pid_with_namespace
is given, but I'd love confirmation.
s

seph

09/24/2021, 8:55 PM
Ah, see, I assumed osqueryi was talking to the running osqueryd.
This is a common assumption, but osquery is completely different. 🙂 Though it looks like a database, it’s much closer to an API translation layer. Run
select * from x
and that’s translated into some API call, and massaged into sqlite, and returned. in that light, osqueryi and osqueryd are totally separate, both launch that same translation layer.
8:56 PM
events are a bit caveat here, those are more like a traditional db
8:57 PM
And you can use
.connect
to connect an osqueryi to a running osqueryd, but those are the special cases
Stefano Bonicatti

Stefano Bonicatti

09/27/2021, 3:07 PM
A bit of a late response about the
pid_with_namespace
, when it’s not present, and yes that’s correct. The column exists to say to the table to join the namespace of the container to permit the container querying, otherwise the table behaves as normal, querying the host.
3:09 PM
We have some columns that behave like logic/behavior switches, and they normally are marked as
additional
in the table spec file; for instance for deb_packages:https://github.com/osquery/osquery/blob/551f3f65f5b4dd97511d892e396d44bd5ee3cb08/specs/linux/deb_packages.table#L16
r

Robin Powell

09/27/2021, 7:57 PM
Thanks!