Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

image.png

Hi <#C08V7KTJB|general>, can anyone tell from the logs below why I could not start osqueryd at all? This just happened suddenly

what does `ls -la /usr/bin/osqueryd` show?

If osqueryd is being launched as root then that path and the folder must be owned by root and not user writable.

This is a safety precaution because osquery will fork and exec itself. So to avoid a TOCTOU security bug, osquery enforces safe permissions. You can bypass this with `--allow_unsafe` but I don't recommend this.

I’m running it as root.
`-rwxr-xr-x. 1 root root 31265080 Oct  6  2020 /usr/bin/osqueryd`

Its owned by root and not writable by any user. I’ll try the --allow_unsafe as last resort