Howdy folks I m trying to test packs but I keep getting `Err osquery #general

Howdy folks, I'm trying to test packs, but I keep ...

OllieJC

05/23/2021, 4:26 PM

Howdy folks, I'm trying to test packs, but I keep getting

Error reading the query pack named: ...

- am I missing something? I'll put a little more details in the 🧵

OllieJC

05/23/2021, 4:26 PM

I'm testing on a Ubuntu 20.04 docker container, using latest osquery - 4.8.0 - installed via apt/`https://pkg.osquery.io/deb` . I'm setting the config via a tls endpoint. I've tried:

"*": "/usr/share/osquery/packs/*"

and

"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"

but I get

Error reading the query pack named: *

and

Error reading the query pack named: osquery-monitoring

respectively. I've tried

chmod -R 777 /usr/share/osquery/packs/

to rule out a permission issue..

seph

05/23/2021, 4:41 PM

Is the pack valid?

OllieJC

05/23/2021, 9:38 PM

It's one of the default ones in

/use/share/osquery/packs/...

I've tried all the non-macOS ones individually. Looks like it's raised from this: https://github.com/osquery/osquery/blob/1e824a6246b46914c410d62c7a8d1449eb8ee8e7/osquery/config/config.cpp#L746 My C/C++ (?) sucks though so I have no idea how to debug it back..

theopolis

05/24/2021, 3:45 PM

My understanding is that the config must be either all retrieved from the TLS plugin or the file system plugin. It doesn’t allow mixing like this, where the packs are retrieved from the filesystem.

theopolis

05/24/2021, 3:46 PM

That said, I think it makes sense how you are trying to use it. I’m supportive of having the TLS genPack method implementing a filesystem search when pack configuration is not provided inline.

OllieJC

05/25/2021, 6:33 AM

Ah okay, thanks @theopolis - that does make sense

Open in Slack

Previous Next