Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jason NG
07/22/2021, 2:45 AMHi all, i created an extention file in python. But when i try to run it, it keep throwing an error "Could not start extension process: /etc/osquery/extention.py". I have no idea whats wrong, does anybody face the same issue?
I fixed it but now i cant run it without the --allow_unsafe option even though i have changed the ownership to root.
t
theopolis
07/24/2021, 7:22 PMIs the file in a directory that is not owned by root? osquery also checks to see if the file can be `rm`ed then recreated by an unprivileged user.
The reason for this is a little complicated but it comes down to a feature where osquery might "relaunch" the extension so it tries to avoid race conditions.
j
Jason NG
07/26/2021, 6:39 AM@theopolis sorry maybe we continue here. currently its under C:/users/Administrators/extension. should i then place it in another folder?
t
theopolis
07/26/2021, 1:28 PMI'm not sure exactly since I don't use windows 😛 sorry about that.
c
CptOfEvilMinions
07/26/2021, 8:13 PMhttps://osquery.readthedocs.io/en/latest/deployment/extensions/
Extensions Binary Permissions
icacls .\Extensions /setowner Administrators /t
icacls .\Extensions /grant Administrators:f /t
icacls .\Extensions /inheritance:r /t
icacls .\Extensions /inheritance:d /tj
Jason NG
07/27/2021, 1:12 AM@CptOfEvilMinions I did exactly that, but i still encounter the error 😕
@theopolis haha no worries!
c
CptOfEvilMinions
07/27/2021, 1:13 AMCan you post the error messages?
j
Jason NG
07/27/2021, 2:15 AMthe only error is this, "Could not start extension process: /etc/osquery/extention.py". initially it was unsafe permissions, then i ran with --allow_unsafe and i got this error. In linux, i faced the same problem, after changing the file permission to 755 it work. So i suspect it might be the same problem.
c
CptOfEvilMinions
07/28/2021, 3:48 AM@Jason NG I am confused by the error because Osquery is located at
C:\Program Files\osquery/etc/osquery/extention.pyAlso per your comment above you were placing the Osquery extension at
C:/users/Administrators/extensionExtensionsMy blog post on creating a Python based Osquery extension on Windows:
https://holdmybeersecurity.com/2020/02/11/creating-my-first-osquery-extension-to-generate-communityids-with-osquery-python-on-windows/
j
Jason NG
07/28/2021, 3:50 AM@CptOfEvilMinions sorry about that, i actually cd into the folder and ran osqueryi --extension test.py --verbose --allow_unsafe and it would throw back the error "could not start extension process: test.py"
i actually followed your blogpost, eveyr single step, but it still would not start
i even tried running your script as well
Could the difference be that i am running your setup in a Windows 2019 server base instanace? @CptOfEvilMinions
c
CptOfEvilMinions
07/28/2021, 3:54 AMhmmm. I assume the answer is yes but I just want to check. Did you run those
icalsIt shouldn't matter
But I made. that blog post ~2 years ago,
j
Jason NG
07/28/2021, 6:22 AM@CptOfEvilMinions i setup osquery according to your blogpost again, specifically the osqueryd part where pyinstaller was used. this worked, however, another error appeared, "W0728 06:21:03.884008 4464 interface.cpp:114] Refusing to register duplicate extension hosting_utilisation"
this doesnt crash the service, but it spikes the CPU alot. Are you familair with this error?
c
CptOfEvilMinions
07/28/2021, 3:18 PMNot sure if the error you received is related but in the discussion section of my blog post I discuss how I observed high CPU utilization.
with an Osquery Python extension
I did not have same issue when I wrote the same extension in go tho
https://holdmybeersecurity.com/2020/02/23/creating-my-second-osquery-extension-with-osquery-go/
j
Jason NG
07/29/2021, 1:20 AM@CptOfEvilMinions Yeah, i changed the code to go and it works fine! I guess ill use go then. haha thanks!
👍 1