Howdy folks I m trying to test packs but I keep getting `Err

Question

Howdy folks I m trying to test packs but I keep getting `Error reading the query pack named ` am I missing something I ll put a little more details in the thread

OllieJC · Answer

I m testing on a Ubuntu 20 04 docker container using latest osquery 4 8 0 installed via apt `<https pkg osquery io deb>` I m setting the config via a tls endpoint I ve tried ` usr share osquery packs ` and ` osquery monitoring usr share osquery packs osquery monitoring conf ` but I get `Error reading the query pack named ` and `Error reading the query pack named osquery monitoring` respectively I ve tried `chmod R 777 usr share osquery packs ` to rule out a permission issue

seph · Answer

Is the pack valid

OllieJC · Answer

It s one of the default ones in ` use share osquery packs ` I ve tried all the non macOS ones individually Looks like it s raised from this <https github com osquery osquery blob 1e824a6246b46914c410d62c7a8d1449eb8ee8e7 osquery config config cpp L746|https github com osquery osquery blob 1e824a6246b46914c410d62c7a8d1449eb8ee8e7 osquery config config cpp L746> My C C++ sucks though so I have no idea how to debug it back

theopolis · Answer

My understanding is that the config must be either all retrieved from the TLS plugin or the file system plugin It doesn t allow mixing like this where the packs are retrieved from the filesystem

theopolis · Answer

That said I think it makes sense how you are trying to use it I m supportive of having the TLS genPack method implementing a filesystem search when pack configuration is not provided inline

OllieJC · Answer

Ah okay thanks < theopolis> that does make sense