https://github.com/osquery/osquery logo
Title
o

OllieJC

05/23/2021, 4:26 PM
Howdy folks, I'm trying to test packs, but I keep getting
Error reading the query pack named: ...
- am I missing something? I'll put a little more details in the 🧵
I'm testing on a Ubuntu 20.04 docker container, using latest osquery - 4.8.0 - installed via apt/`https://pkg.osquery.io/deb` . I'm setting the config via a tls endpoint. I've tried:
"*": "/usr/share/osquery/packs/*"
and
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
but I get
Error reading the query pack named: *
and
Error reading the query pack named: osquery-monitoring
respectively. I've tried
chmod -R 777 /usr/share/osquery/packs/
to rule out a permission issue..
s

seph

05/23/2021, 4:41 PM
Is the pack valid?
o

OllieJC

05/23/2021, 9:38 PM
It's one of the default ones in
/use/share/osquery/packs/...
I've tried all the non-macOS ones individually. Looks like it's raised from this: https://github.com/osquery/osquery/blob/1e824a6246b46914c410d62c7a8d1449eb8ee8e7/osquery/config/config.cpp#L746 My C/C++ (?) sucks though so I have no idea how to debug it back..
t

theopolis

05/24/2021, 3:45 PM
My understanding is that the config must be either all retrieved from the TLS plugin or the file system plugin. It doesn’t allow mixing like this, where the packs are retrieved from the filesystem.
That said, I think it makes sense how you are trying to use it. I’m supportive of having the TLS genPack method implementing a filesystem search when pack configuration is not provided inline.
o

OllieJC

05/25/2021, 6:33 AM
Ah okay, thanks @theopolis - that does make sense