Channels
<@U023ZPFM2Q1> normally osquery expect to run as r...
# generals
Stefano Bonicatti
07/22/2021, 12:01 PM@Madhur Jodhwani normally osquery expect to run as root. If you're not running it as root keep in mind that many tables may not show data/work correctly. That been said you can also tell it where you want to create the pidfile with
--pidfile=<path>m
Madhur Jodhwani
07/22/2021, 5:46 PMhow do i run osqueryd after building it on mac,I mean I get it that I am unable to run it as root but then how to get it done or how to build it as root?
s
Stefano Bonicatti
07/22/2021, 5:48 PMI'm not sure what you mean with "build it as root". I'm referring to running it as root; I assumed that it was intentional to run it as a normal user.
If not, you can use
sudom
Madhur Jodhwani
07/22/2021, 6:18 PMI ran osqueryd as root and it gave this error
Madhur Jodhwani
07/22/2021, 6:18 PME0722 23:47:56.249691 250744832 shutdown.cpp:75] [Ref #1382] osqueryd has unsafe permissions: /Users/mj/Desktop/osquery/build/osquery/osqueryds
Stefano Bonicatti
07/22/2021, 6:19 PMadd
--allow_unsafem
Madhur Jodhwani
07/22/2021, 7:28 PMok
Madhur Jodhwani
07/22/2021, 7:31 PMthen it gave this error
Madhur Jodhwani
07/22/2021, 7:31 PME0723 01:00:39.768704 376421888 shutdown.cpp:75] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.logE0723 01:00:42.686159 39362560 shutdown.cpp:75] Worker returned exit statusMadhur Jodhwani
07/22/2021, 7:31 PMI ran it with sudo
s
Stefano Bonicatti
07/23/2021, 6:40 AMAh sorry, that’s because by default osquery tries to log there and I suppose you don’t have that path, so you would have to tell it to user another one that exists (or create that one, the folders are enough).
You can specify a different path with
--logger_path=<path>m
Madhur Jodhwani
07/23/2021, 11:32 AMstill facing the errors,this is what I faced through build osqueryd run and installed osqueryd run(both attempted to run through sudo)
Madhur Jodhwani
07/23/2021, 11:32 AM Copy code
I0723 17:01:56.780879 307543552 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity: EndpointSecurity is disabled via configuration
I0723 17:01:56.781905 307543552 eventfactory.cpp:156] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0723 17:01:56.781971 307543552 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used
I0723 17:01:56.782012 307543552 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configurationMadhur Jodhwani
07/23/2021, 11:32 AMthis is the error
s
Stefano Bonicatti
07/23/2021, 11:33 AMThey are not really blocking errors, they would be prefixed with
EIm
Madhur Jodhwani
07/23/2021, 11:34 AMbut osqueryd is running?
s
Stefano Bonicatti
07/23/2021, 11:34 AMIf you don't get back the terminal prompt, osquery is indeed running.
m
Madhur Jodhwani
07/23/2021, 11:35 AMoh
Madhur Jodhwani
07/23/2021, 11:35 AMbut then I will have to keep this terminal running all the time na
Madhur Jodhwani
07/23/2021, 11:36 AMhow to run it through osqueryctl start script?
s
Stefano Bonicatti
07/23/2021, 11:41 AMosqueryctl is meant to be used when osquery is properly deployed on a system, via packages.
Stefano Bonicatti
07/23/2021, 11:43 AMMay I ask what your objective? Because normally running osquery from the build folder is done for development purposes/or quickly trying things, so keeping a terminal tab open is fine.
Or you can even run it in background mode, redirecting all output in
/dev/nullStefano Bonicatti
07/23/2021, 11:43 AMFor a proper deployment I would suggest build the package and installing it, so that then the systemd service is available
Stefano Bonicatti
07/23/2021, 11:43 AMand osquery can be started/stopped as a service
Stefano Bonicatti
07/23/2021, 11:44 AMactually sorry, systemd doesn't matter here, it's macOS. Anyway, there's a launchd file that can be used
83 Views