Channels
#general
Title
z
Zweasta
07/19/2020, 10:51 PMDid anyone get osquery executed command's return code as 78 ? On one of my machines, I am constantly getting the return code as 78. Don't know why. It is seen every time I execute a command. I tried installing the latest osquery 4.4.0, but still the return code is 78. Coming to the output, I am seeing getting the output and after that, it freezes for like 2 secs and then exists the process.
s
seph
07/19/2020, 11:37 PM
You're running this under python, right?
t
theopolis
07/20/2020, 12:03 AM
Can you make an issue on GitHub and give us all the details about what you are doing. Can you document it such that I can try to reproduce it myself.
z
Zweasta
07/20/2020, 12:07 AM@seph Even without python, I was able to get this issue. Just a normal execution with
osqueryi.@theopolis sure, I can make an issue on GitHub, but the thing is, this is not a generic use case to reproduce. Any osquery command that was run on
a particular machines
seph
07/20/2020, 12:11 AM
So you have one machine, and it reliable causes osqueryi to exit with that code?
Does it matter what table you query?
Does the osquery version effect this?
t
theopolis
07/20/2020, 12:12 AM
What do you mean by “command” can you paste your terminal output and all use the “—verbose” command line flag?
z
Zweasta
07/20/2020, 12:35 AM@seph Yes there is one single machine that causes this issue.
It doesn't matter the table that I query.
osquery version doesn't effect (I tried with 4.4.0 and 4.3.0 same issue is occured)
@theopolis Sure, here is the output:
$ osqueryi --json 'select * from os_version' --verboseI0720 00:35:51.247476 49581 init.cpp:343] osquery initialized [version=4.4.0]I0720 00:35:51.247583 49581 extensions.cpp:383] Could not autoload extensions: Failed reading: /etc/osquery/extensions.loadI0720 00:35:51.247655 49581 init.cpp:566] An error occured during extension manager startup: Extensions disabledI0720 00:35:51.247686 49581 auto_constructed_tables.cpp:96] Removing stale ATC entries[{"arch":"x86_64","build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}]$ echo $?78There are some queries where the output is not complete, it just ends in the middle of printing output, (suppose if I query the iptables table).
t
theopolis
07/20/2020, 12:46 AM
Maybe the extension socket is in some unexpected state on that machine? Can you set —disable_extensions and see if it exits 0?
z
Zweasta
07/20/2020, 12:47 AM@theopolis Nope, didn't work
👍 1
t
theopolis
07/20/2020, 12:47 AM
I have some other ideas on how to debug, but they are more complex. I’ll get back to you in a few hours when I’m at a computer.
👍 1
Ok, let's eliminate any configuration problems:
Copy code
--config_plugin=filesystem --config_path=/dev/nullThen database problems
Copy code
--disable_databaseand to be extra sure extensions are not causing problems
Copy code
--extensions_socket=/dev/nulls
seph
07/20/2020, 2:36 AM
Is there anything in the hosts logs?
dmesg | tailz
Zweasta
07/20/2020, 12:43 PM@theopolis
--config_plugin=filesystem --config_path=/dev/nullt
theopolis
07/20/2020, 12:53 PM
This isn’t the root cause, but it’s a step. I’ll DM you in a few hours.
👍 1
z
Zweasta
07/21/2020, 2:34 PM@theopolis What is the root cause for my issue here ? Even though this particular issue is solved by adding
--config_plugin=filesystem --config_path=/dev/nulls
seph
07/21/2020, 2:40 PM
This sounds like it’s going to end up being async? Might do better as a ticket. Though I don’t want to speak for teddy
z
Zweasta
07/21/2020, 3:50 PM@seph what do you mean by async here ?
4 Views