Where s the best place to discuss troubleshooting why an add osquery #general

Join Slack

Where's the best place to discuss troubleshooting ...

# general

Jacob Kitchel

07/15/2021, 10:23 PM

Where's the best place to discuss troubleshooting why an additional pack .conf is not loading for me?

Stefano Bonicatti

07/15/2021, 10:29 PM

Welcome! Here it's fine, normally we suggest to move the discussion on another channel if it's specific to a platform or maybe some specific feature like bpf or fim. Have you had the change to check what the logs say starting osquery with the

--verbose

flag?

Jacob Kitchel

07/15/2021, 11:33 PM

yeah, restarted osqueryd with --verbose and i have some output that i can share

Jacob Kitchel

07/15/2021, 11:34 PM

Copy code

I0715 17:20:25.228919  3022 init.cpp:357] osquery initialized [version=4.9.0]
I0715 17:20:25.229351  3022 system.cpp:375] Writing osqueryd pid (3022) to /var/run/osqueryd.pidfile
I0715 17:20:25.229488  3022 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0715 17:20:25.229720  3022 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55ede8f91868) to thread: 140492825478912 (0x55ede8f79630) in process 3022
I0715 17:20:25.231575  3023 watcher.cpp:615] osqueryd watcher (3022) executing worker (3024)
I0715 17:20:25.249591  3024 init.cpp:354] osquery worker initialized [watcher=3022]
I0715 17:20:25.249827  3024 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x559fe8f4c598) to thread: 139894756615936 (0x559fe8f4cbd0) in process 3024
I0715 17:20:25.249964  3024 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0715 17:20:25.350992  3024 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x559fe8fd9658) to thread: 139894215120640 (0x559fe9060a70) in process 3024
I0715 17:20:25.351110  3024 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x559fe8fdbaa8) to thread: 139894223513344 (0x559fe8f64970) in process 3024
I0715 17:20:25.351162  3024 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0715 17:20:25.351182  3123 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0715 17:20:25.384059  3024 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0715 17:20:25.384328  3024 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0715 17:20:25.384372  3024 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0715 17:20:25.384435  3024 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 17:20:25.384634  3024 events.cpp:36] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0715 17:20:25.384781  3024 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0715 17:20:25.384855  3024 events.cpp:36] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0715 17:20:25.384888  3024 events.cpp:36] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0715 17:20:25.384968  3024 events.cpp:36] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0715 17:20:25.385524  3024 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled.
I0715 17:20:25.385572  3124 eventfactory.cpp:390] Starting event publisher run loop: udev
I0715 17:20:25.385628  3024 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x559fe9058ef8) to thread: 139894634559232 (0x559fe8fdebb0) in process 3024
I0715 17:44:24.995820  3125 scheduler.cpp:110] Executing scheduled query system_info: SELECT hostname, cpu_brand, physical_memory FROM system_info;

Jacob Kitchel

07/15/2021, 11:35 PM

i am not at present using any flags to start it by default, only leveraging that it will look for the default config in /etc/osquery/osquery.conf and (presumably /etc/osquery/osquery.conf.d/ )

Jacob Kitchel

07/15/2021, 11:36 PM

a possibly related issue is that osqueryctl config-check throws a ton of RocksDB access errors as [WARN] level of errors, but otherwise seems to be fine

Jacob Kitchel

07/15/2021, 11:36 PM

osqueryctl status shows it's running with a pid, so i'm pretty sure that means it's loading /etc/osquery/osquery.conf with no issues

Jacob Kitchel

07/15/2021, 11:37 PM

Copy code

osquery> select * from osquery_packs;
+------+----------+---------+-------+----------------------+----------------------+--------+
| name | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+------+----------+---------+-------+----------------------+----------------------+--------+
| main |          |         | 0     | 1                    | 1                    | 1      |
+------+----------+---------+-------+----------------------+----------------------+--------+

Jacob Kitchel

07/15/2021, 11:37 PM

to me that indicates that it's only grabbing the main/default config

Jacob Kitchel

07/15/2021, 11:37 PM

but should it be concerning that no platform or version data populates?

Jacob Kitchel

07/15/2021, 11:42 PM

something else which may be presenting challenges is:

Copy code

Linux DESKTOP-1CHO67D 5.4.72-microsoft-standard-WSL2 #1 SMP Wed Oct 28 23:40:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Jacob Kitchel

07/15/2021, 11:42 PM

so, any pointers or places to start would be appreciated

Stefano Bonicatti

07/16/2021, 8:25 AM

The platform and the version are properties of the query pack that you can put, if they aren’t set they won’t be shown. How is the query pack file under the conf.d directory named? What are its contents?

Stefano Bonicatti

07/16/2021, 8:26 AM

Normally if osquery sees the file should attempt to load it, and if it’s not valid, it should complain in the logs

Stefano Bonicatti

07/16/2021, 8:27 AM

but I don’t see errors, so it really seems that somehow it doesn’t find it. You should just make sure that the file ends with

.conf

, otherwise it won’t load it.

Jacob Kitchel

07/16/2021, 2:11 PM

Copy code

tester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/
total 32
drwxr-xr-x  3 root root 4096 Jul 15 15:18 .
drwxr-xr-x 96 root root 4096 Jul 14 20:44 ..
-rw-r--r--  1 root root 6381 Jul 12 20:29 osquery.conf
-rw-r--r--  1 root root 6381 Jul 14 22:37 osquery.conf.bak
-rw-r--r--  1 root root   64 Jul 14 22:04 osquery.conf.bak.hash
drwxr-xr-x  2 root root 4096 Jul 15 15:18 osquery.conf.d
tester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/osquery.conf.d/
total 28
drwxr-xr-x 2 root root  4096 Jul 15 15:18 .
drwxr-xr-x 3 root root  4096 Jul 15 15:18 ..
-rw-r--r-- 1 root root 17756 Jul 15 15:18 ossec-rootkit.conf

Jacob Kitchel

07/16/2021, 2:11 PM

the ossec-rootkit.conf is the stock one from /usr/share/osquery/packs/ossec-rootkit.con

Stefano Bonicatti

07/16/2021, 2:28 PM

So you copied that file as is under osquery.conf.d? Because those are query pack files, they are not configuration files. They are a part of the pack configuration. You would reference them as the

pack_name_1

example here: https://osquery.readthedocs.io/en/latest/deployment/configuration/#packs

Stefano Bonicatti

07/16/2021, 2:42 PM

the difference is very minimal, in that specific case to be a configuration file it would also need

Copy code

{
  "packs": {
  [...] // packs from the ossec-rootkit.conf
  }
}

Jacob Kitchel

07/16/2021, 2:45 PM

ok, what i think you're saying is: • for a pack to get loaded, it has to be in the main/default config and have the comment lines removed so that the default config knows to try and load it

Jacob Kitchel

07/16/2021, 2:45 PM

then that specific pack line has a file patch from which to load the pack that you want to enable

Jacob Kitchel

07/16/2021, 2:46 PM

and yeah, i guess i was reading the pack.conf and thinking "ok, this is a full on conf file so it should 'just load' " but taking a look back at it, it doesn't have all of the structure that the main default conf has

Jacob Kitchel

07/16/2021, 2:46 PM

i'll give this a shot, thank you

Stefano Bonicatti

07/16/2021, 2:46 PM

You don’t need to have the packs listed in the main config file

Jacob Kitchel

07/16/2021, 2:47 PM

oh oh oh oh, what you're saying in that code snippet is to wrap the internals of the ossec-rootkit.conf inside of { "packs": {} }

Stefano Bonicatti

07/16/2021, 2:48 PM

so, lets say this is the main conf file:

Copy code

{
  "packs": {
    "pack_name_2": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux"
    }
  }
}

then you can also have the additional configuration file under conf.d

Copy code

{
  "packs": {
    "pack_name_3": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux"
    }
  }
}

👍 1

Stefano Bonicatti

07/16/2021, 2:48 PM

But you don’t need to wrap it necessarily

Stefano Bonicatti

07/16/2021, 2:49 PM

this example is to clarify the difference from a configuration file that happens to have a pack configured inline in it and a query pack file

Stefano Bonicatti

07/16/2021, 2:49 PM

but as I was saying you can also reference the query pack file from the configuration

Stefano Bonicatti

07/16/2021, 2:51 PM

taking the example from the wiki:

Copy code

{
  "packs": {
    "pack_name_1": "/path/to/pack.json",
    "pack_name_2": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux",
      "discovery": [
        "SELECT * FROM processes WHERE name = 'osqueryi';"
      ]
    }
  }
}

Look at

pack_name_1

, if the path that’s there is substituted with the path to the ossec-rootkit.conf, then it will load those queries

Stefano Bonicatti

07/16/2021, 2:52 PM

So you can specify a query pack inline in a configuration file or its queries on the side and then load the file in the configuration file.

Jacob Kitchel

07/16/2021, 2:56 PM

ok tyvm uncommenting the line in the main osquery.conf (and removing the trailing comma 😄 ) worked and it's now showing as loaded when i query the db directly via osqueryi with a select * from osquery_packs; 👍

🎉 1

20 Views

Open in Slack

Previous Next