Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
09/10/2021, 9:07 AMHello please see here because the query for python packages is returning different to the python packages installed on the device. https://osquery.slack.com/archives/C01DXJL16D8/p1630781846091900
s
seph
09/10/2021, 1:10 PMDebugging via screenshot can be hard. I have to squint much harder than cut and pasted text in code blocks.
But, it’s not clear to me what any of that is showing.
the python table enumerate the python packages at various directories. You can probably tell it what directory to enumerate to.
Is your pip command using the same directory?
Who knows. It’s not in your screen shots.
m
Mystery Incorporated
09/11/2021, 4:27 AMI was just doing
pip listI was not aware of any directories or anything I just use
pip install xi think
pip lists
seph
09/12/2021, 4:41 PMWhich pip. You could have many.
m
Mystery Incorporated
09/17/2021, 3:12 PM@seph well irrespective of which pip,
SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packagesThis is causing the vulnerability checker in fleet to fail, and fleet says it is osquery being the problem due to the erroneous output from that query.
Here is fleet
Yet the query above only returns v2.8 (which it should not as it doesn't exist)
s
seph
09/17/2021, 3:17 PMAnswering the question about a million pips… I think this is a philosophical question.
osquery examines common locations for python packages. These are enumerated by https://github.com/osquery/osquery/blob/482a751f9f55ad31333ecf75b645a2334d943774/osquery/tables/system/python_packages.cpp#L34-L48 It does not search your entire disk looking for likely python packages.
It will never find venvs built into random places, or similar.
I tend to think osquery’s approach is correct. But it is not always what’s expected.
I have no idea what fleet is doing, what you’re doing, or any of the larger context needed to debug that. Fleet is, ultimately, just running queries. So if fleet can find it, you should be able to find it otherwise.
That code snippet is probably incomplete — it looks like other parts also search additional places.
m
Mystery Incorporated
09/17/2021, 3:28 PMOk I see the issue, that cryptography v2.8 is in /usr/lib/python3/dist-packages. But cryptography v3.4.8 is in /usr/local/lib/python3.8/dist-packages/
But osquery is only reporting v2.8 but according to the code you just pointed me too it should be reporting from both paths?
s
seph
09/17/2021, 3:29 PMm
Mystery Incorporated
09/17/2021, 3:31 PMYep v3.4.8 is in there, but the query is not returning it
s
seph
09/17/2021, 3:32 PMAre you using osqueryi? Or distributing this via fleet? If the latter, can you repreoduce on the local machine?
m
Mystery Incorporated
09/17/2021, 3:32 PMI am just running the query as an on demand query from fleet
s
seph
09/17/2021, 3:33 PMHow confident are you that fleet isn’t doing any weird caching here? Can you preproduce this on the local machine?
(If you have osqueryd, you can invoke it interactively with the
-Sm
Mystery Incorporated
09/17/2021, 3:35 PMOutput from osqueryi on device only lists v2.8
s
seph
09/17/2021, 3:35 PMAnd that’s running as root, correct?
m
Mystery Incorporated
09/17/2021, 3:37 PMI just ran osqueryi with a sudo and same result
oh hang on it's not in alphabetical order
there is another list below that list
so the v3.4.8 is further down the list
s
seph
09/17/2021, 3:39 PMIn retrospect, that’s not surprising. osquery searches the directories and appends. If you want to sort it, add an ORDER BY to the sql.
m
Mystery Incorporated
09/17/2021, 3:39 PMyea let me see if it's same thing from fleet
yea same in fleet, ok cool thanks