https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

Jason NG

07/22/2021, 2:45 AM
Hi all, i created an extention file in python. But when i try to run it, it keep throwing an error "Could not start extension process: /etc/osquery/extention.py". I have no idea whats wrong, does anybody face the same issue?
I fixed it but now i cant run it without the --allow_unsafe option even though i have changed the ownership to root.
t

theopolis

07/24/2021, 7:22 PM
Is the file in a directory that is not owned by root? osquery also checks to see if the file can be `rm`ed then recreated by an unprivileged user.
The reason for this is a little complicated but it comes down to a feature where osquery might "relaunch" the extension so it tries to avoid race conditions.
j

Jason NG

07/26/2021, 6:39 AM
@theopolis sorry maybe we continue here. currently its under C:/users/Administrators/extension. should i then place it in another folder?
t

theopolis

07/26/2021, 1:28 PM
I'm not sure exactly since I don't use windows 😛 sorry about that.
c

CptOfEvilMinions

07/26/2021, 8:13 PM
https://osquery.readthedocs.io/en/latest/deployment/extensions/ Extensions Binary Permissions
Copy code
icacls .\Extensions /setowner Administrators /t
icacls .\Extensions /grant Administrators:f /t
icacls .\Extensions /inheritance:r /t
icacls .\Extensions /inheritance:d /t
j

Jason NG

07/27/2021, 1:12 AM
@CptOfEvilMinions I did exactly that, but i still encounter the error 😕
@theopolis haha no worries!
c

CptOfEvilMinions

07/27/2021, 1:13 AM
Can you post the error messages?
j

Jason NG

07/27/2021, 2:15 AM
the only error is this, "Could not start extension process: /etc/osquery/extention.py". initially it was unsafe permissions, then i ran with --allow_unsafe and i got this error. In linux, i faced the same problem, after changing the file permission to 755 it work. So i suspect it might be the same problem.
c

CptOfEvilMinions

07/28/2021, 3:48 AM
@Jason NG I am confused by the error because Osquery is located at 
C:\Program Files\osquery
on Windows and your error message says 
/etc/osquery/extention.py
. Does your config have the wrong path/Linux path?
Also per your comment above you were placing the Osquery extension at 
C:/users/Administrators/extension
and it should be placed in a directory named 
Extensions
in the Osquery folder on Windows.
j

Jason NG

07/28/2021, 3:50 AM
@CptOfEvilMinions sorry about that, i actually cd into the folder and ran osqueryi --extension test.py --verbose --allow_unsafe and it would throw back the error "could not start extension process: test.py"
i actually followed your blogpost, eveyr single step, but it still would not start
i even tried running your script as well
Could the difference be that i am running your setup in a Windows 2019 server base instanace? @CptOfEvilMinions
c

CptOfEvilMinions

07/28/2021, 3:54 AM
hmmm. I assume the answer is yes but I just want to check. Did you run those 
icals
and the other commands in an elevated Powershell prompt?
It shouldn't matter
But I made. that blog post ~2 years ago,
j

Jason NG

07/28/2021, 6:22 AM
@CptOfEvilMinions i setup osquery according to your blogpost again, specifically the osqueryd part where pyinstaller was used. this worked, however, another error appeared, "W0728 062103.884008 4464 interface.cpp:114] Refusing to register duplicate extension hosting_utilisation"
this doesnt crash the service, but it spikes the CPU alot. Are you familair with this error?
c

CptOfEvilMinions

07/28/2021, 3:18 PM
Not sure if the error you received is related but in the discussion section of my blog post I discuss how I observed high CPU utilization.
with an Osquery Python extension
I did not have same issue when I wrote the same extension in go tho https://holdmybeersecurity.com/2020/02/23/creating-my-second-osquery-extension-with-osquery-go/
j

Jason NG

07/29/2021, 1:20 AM
@CptOfEvilMinions Yeah, i changed the code to go and it works fine! I guess ill use go then. haha thanks!
👍 1
3 Views
Powered by