Title
#general
j

Jacob Kitchel

07/15/2021, 10:23 PM
Where's the best place to discuss troubleshooting why an additional pack .conf is not loading for me?
Stefano Bonicatti

Stefano Bonicatti

07/15/2021, 10:29 PM
Welcome! Here it's fine, normally we suggest to move the discussion on another channel if it's specific to a platform or maybe some specific feature like bpf or fim. Have you had the change to check what the logs say starting osquery with the
--verbose
flag?
j

Jacob Kitchel

07/15/2021, 11:33 PM
yeah, restarted osqueryd with --verbose and i have some output that i can share
11:34 PM
I0715 17:20:25.228919  3022 init.cpp:357] osquery initialized [version=4.9.0]
I0715 17:20:25.229351  3022 system.cpp:375] Writing osqueryd pid (3022) to /var/run/osqueryd.pidfile
I0715 17:20:25.229488  3022 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0715 17:20:25.229720  3022 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55ede8f91868) to thread: 140492825478912 (0x55ede8f79630) in process 3022
I0715 17:20:25.231575  3023 watcher.cpp:615] osqueryd watcher (3022) executing worker (3024)
I0715 17:20:25.249591  3024 init.cpp:354] osquery worker initialized [watcher=3022]
I0715 17:20:25.249827  3024 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x559fe8f4c598) to thread: 139894756615936 (0x559fe8f4cbd0) in process 3024
I0715 17:20:25.249964  3024 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0715 17:20:25.350992  3024 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x559fe8fd9658) to thread: 139894215120640 (0x559fe9060a70) in process 3024
I0715 17:20:25.351110  3024 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x559fe8fdbaa8) to thread: 139894223513344 (0x559fe8f64970) in process 3024
I0715 17:20:25.351162  3024 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0715 17:20:25.351182  3123 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0715 17:20:25.384059  3024 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0715 17:20:25.384328  3024 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0715 17:20:25.384372  3024 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0715 17:20:25.384435  3024 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 17:20:25.384634  3024 events.cpp:36] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0715 17:20:25.384781  3024 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0715 17:20:25.384855  3024 events.cpp:36] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0715 17:20:25.384888  3024 events.cpp:36] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0715 17:20:25.384968  3024 events.cpp:36] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0715 17:20:25.385524  3024 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled.
I0715 17:20:25.385572  3124 eventfactory.cpp:390] Starting event publisher run loop: udev
I0715 17:20:25.385628  3024 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x559fe9058ef8) to thread: 139894634559232 (0x559fe8fdebb0) in process 3024
I0715 17:44:24.995820  3125 scheduler.cpp:110] Executing scheduled query system_info: SELECT hostname, cpu_brand, physical_memory FROM system_info;
11:35 PM
i am not at present using any flags to start it by default, only leveraging that it will look for the default config in /etc/osquery/osquery.conf and (presumably /etc/osquery/osquery.conf.d/ )
11:36 PM
a possibly related issue is that osqueryctl config-check throws a ton of RocksDB access errors as [WARN] level of errors, but otherwise seems to be fine
11:36 PM
osqueryctl status shows it's running with a pid, so i'm pretty sure that means it's loading /etc/osquery/osquery.conf with no issues
11:37 PM
osquery> select * from osquery_packs;
+------+----------+---------+-------+----------------------+----------------------+--------+
| name | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+------+----------+---------+-------+----------------------+----------------------+--------+
| main |          |         | 0     | 1                    | 1                    | 1      |
+------+----------+---------+-------+----------------------+----------------------+--------+
11:37 PM
to me that indicates that it's only grabbing the main/default config
11:37 PM
but should it be concerning that no platform or version data populates?
11:42 PM
something else which may be presenting challenges is:
Linux DESKTOP-1CHO67D 5.4.72-microsoft-standard-WSL2 #1 SMP Wed Oct 28 23:40:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:42 PM
so, any pointers or places to start would be appreciated
Stefano Bonicatti

Stefano Bonicatti

07/16/2021, 8:25 AM
The platform and the version are properties of the query pack that you can put, if they aren’t set they won’t be shown. How is the query pack file under the conf.d directory named? What are its contents?
8:26 AM
Normally if osquery sees the file should attempt to load it, and if it’s not valid, it should complain in the logs
8:27 AM
but I don’t see errors, so it really seems that somehow it doesn’t find it. You should just make sure that the file ends with
.conf
, otherwise it won’t load it.
j

Jacob Kitchel

07/16/2021, 2:11 PM
tester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/
total 32
drwxr-xr-x  3 root root 4096 Jul 15 15:18 .
drwxr-xr-x 96 root root 4096 Jul 14 20:44 ..
-rw-r--r--  1 root root 6381 Jul 12 20:29 osquery.conf
-rw-r--r--  1 root root 6381 Jul 14 22:37 osquery.conf.bak
-rw-r--r--  1 root root   64 Jul 14 22:04 osquery.conf.bak.hash
drwxr-xr-x  2 root root 4096 Jul 15 15:18 osquery.conf.d
tester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/osquery.conf.d/
total 28
drwxr-xr-x 2 root root  4096 Jul 15 15:18 .
drwxr-xr-x 3 root root  4096 Jul 15 15:18 ..
-rw-r--r-- 1 root root 17756 Jul 15 15:18 ossec-rootkit.conf
2:11 PM
the ossec-rootkit.conf is the stock one from /usr/share/osquery/packs/ossec-rootkit.con
Stefano Bonicatti

Stefano Bonicatti

07/16/2021, 2:28 PM
So you copied that file as is under osquery.conf.d? Because those are query pack files, they are not configuration files. They are a part of the pack configuration. You would reference them as the
pack_name_1
example here: https://osquery.readthedocs.io/en/latest/deployment/configuration/#packs
2:42 PM
the difference is very minimal, in that specific case to be a configuration file it would also need
{
  "packs": {
  [...] // packs from the ossec-rootkit.conf
  }
}
j

Jacob Kitchel

07/16/2021, 2:45 PM
ok, what i think you're saying is: • for a pack to get loaded, it has to be in the main/default config and have the comment lines removed so that the default config knows to try and load it
2:45 PM
then that specific pack line has a file patch from which to load the pack that you want to enable
2:46 PM
and yeah, i guess i was reading the pack.conf and thinking "ok, this is a full on conf file so it should 'just load' " but taking a look back at it, it doesn't have all of the structure that the main default conf has
2:46 PM
i'll give this a shot, thank you
Stefano Bonicatti

Stefano Bonicatti

07/16/2021, 2:46 PM
You don’t need to have the packs listed in the main config file
j

Jacob Kitchel

07/16/2021, 2:47 PM
oh oh oh oh, what you're saying in that code snippet is to wrap the internals of the ossec-rootkit.conf inside of { "packs": {} }
Stefano Bonicatti

Stefano Bonicatti

07/16/2021, 2:48 PM
so, lets say this is the main conf file:
{
  "packs": {
    "pack_name_2": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux"
    }
  }
}
then you can also have the additional configuration file under conf.d
{
  "packs": {
    "pack_name_3": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux"
    }
  }
}
2:48 PM
But you don’t need to wrap it necessarily
2:49 PM
this example is to clarify the difference from a configuration file that happens to have a pack configured inline in it and a query pack file
2:49 PM
but as I was saying you can also reference the query pack file from the configuration
2:51 PM
taking the example from the wiki:
{
  "packs": {
    "pack_name_1": "/path/to/pack.json",
    "pack_name_2": {
      "queries": {},
      "shard": 10,
      "version": "1.7.0",
      "platform": "linux",
      "discovery": [
        "SELECT * FROM processes WHERE name = 'osqueryi';"
      ]
    }
  }
}
Look at
pack_name_1
, if the path that’s there is substituted with the path to the ossec-rootkit.conf, then it will load those queries
2:52 PM
So you can specify a query pack inline in a configuration file or its queries on the side and then load the file in the configuration file.
j

Jacob Kitchel

07/16/2021, 2:56 PM
ok tyvm uncommenting the line in the main osquery.conf (and removing the trailing comma 😄 ) worked and it's now showing as loaded when i query the db directly via osqueryi with a select * from osquery_packs; 👍