Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
08/07/2021, 5:52 AM@Stefano Bonicatti 😄
As discussed, extracted osqueryd.exe from the .msi installer. Renamed, and then use
sc.exe create jamesbobd binpath= "C:\ProgramData\MyCustomFolder\jamesbobd.exe --flagfile=\"C:\ProgramData\MyCustomFolder\osquery.flags\""Connects to fleet, enrols the dies tho, need to work out why that happens
Just dies, doesn't write any logs to fleet (that I can see), doesn't write any logs on. the windows side, just connects to fleet, enrols, dies.
I even removed the logger_plugin=tls and set it as logger_pugin=filesystem and set the path for log files but it doesn't generate any logs just dies. 😞 😞 😞 😞
If I run it from command line all it says is
jamesbobd.exe --flagfile="osquery.flags"
Using a [1mvirtual database[0m. Need help, type '.help'*queries are only working from prompt, it refuses to get ditributed or answer to distributed queries from fleet, it dies as soon as it enrols for fleet purpose, but fleet says it is online still.
s
Seshu
08/07/2021, 9:46 AMI think watcher looks for worker process called osquery. This is hardcoded in code unless it was changed recently
m
Mystery Incorporated
08/07/2021, 12:34 PMOh dang 😞, I thought that there must have been something like that because I tried before and it didn't work
s
seph
08/07/2021, 3:39 PMDoes it work if you disable the watch dog?
(It might not. No idea)
m
Mystery Incorporated
08/09/2021, 1:32 AM@seph heh that would have been a good idea to try, however I want the watchdog anyway to guard the mem usage especially so I think for now I am going to abandon this pursuit.
s
seph
08/09/2021, 2:09 AMMight be worth trying. Less as a long term answer, more as an experiment.
m
Mystery Incorporated
08/09/2021, 1:57 PM@seph true I will try it once I get my nginx config for fleet sorted
s
Stefano Bonicatti
08/13/2021, 12:28 PMThe watchdog, as far as checking CPU and memory, is not impacted by the change of name, because since the worker is a fork of the watchdog, it knows its pid, and uses that to filter down the process.
One of the problems that there is and that I was referring to during the office hours though, is that we use a pidfile to track the watcher (only, to be fixed to track the worker too) and that is done because we don't want to have two instances of osquery running (for various reasons, mainly the RocksDB database).
To identify that the pid corresponds to an osquery process, we use the process name, so if we change that, then we are not able to prevent that anymore.
There might be various reasons why a previous osquery instance is still running, beyond actively launching osquery two times, but mainly revolve around bugs/hangs or long running queries and osquery asked to restart, but not acting fast enough, due to the long running query.
There are also other logic that depend on the name, like osquery being launched as a daemon or a shell https://github.com/osquery/osquery/blob/08736648aacaefbdfc90bc2b87acc4414fd6c9ec/osquery/core/init.cpp#L223-L236
For Windows, the service name is expected to be
osquerydBecause it's registering the function that controls the service status
m
Madhur Jodhwani
08/16/2021, 6:23 AMcan you please explain how to do this on a mac and also how to extract
osqueryd.exeosuqery/osquerydsc.exeI am trying it on Windows and it shows
Error:Incomplete inputm
Mystery Incorporated
08/18/2021, 1:23 PM@Madhur Jodhwani if you've renamed osqueryd.exe to sc.exe then I reckon you should cease at this point.
m
Madhur Jodhwani
08/20/2021, 7:07 AMDid I do something wrong?