Title
#general
z

Zweasta

06/19/2020, 11:29 PM
What does
return code 78
mean in osquery ?
Jams

Jams

06/20/2020, 3:07 AM
Can you provide more context? Is this reproducible? If so, how
z

Zweasta

06/20/2020, 3:13 AM
process = subprocess.run(['osqueryi', '--json', 'select * from os_version'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
3:14 AM
print(process.stdout)
gives no output and when I checked the
return code it says 78
3:15 AM
And I faced this issue only on a single machine out of 6 machines that I checked on osquery on.
Jams

Jams

06/20/2020, 3:34 AM
Exit code 78 is related to pre-defined exit codes in both Linux and BSD (/usr/include/sysexists.h). If I had to guess this one outlier has a different version of Python and libraries / eggs compared to the 5 functional machines.
z

Zweasta

06/20/2020, 3:49 AM
I usually run using python3, so I uninstalled and installed the python3, but still no change. I still get the 78 error code..
3:49 AM
Do you have any idea on how to fix this ?
Jams

Jams

06/20/2020, 4:29 AM
osquery is a universal interface to collect telemetry and inspect hosts across multiple OS. Common usage patterns are running
osqueryd
 with filesystem or tls logging.
4:32 AM
It’s important to know the exact Python 3 version as subprocess modules behavior does change within the various 3.x variants. Try something like …
subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE,          shell=use_shell, universal_newlines=True)
z

Zweasta

06/20/2020, 11:49 AM
Even without python3 (subprocess)
$osqueryi --json 'select * from os_version'
[
{"build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}
]
11:49 AM
$echo $?
78
12:14 PM
I am getting output in this way, but at the end (after printing 
"]"
 in the above output) it
hangs for 2 seconds
and the osqueryi process ends. But, when I check the return code - It says 78
s

seph

07/24/2020, 6:33 PM
I think I found it. Still digging
6:35 PM
Seems to happen if I specify an extension that cannot be executed. eg:
touch no-exec
osqueryd --ephemeral --extension `pwd`/no-exec --allow-unsafe
6:36 PM
Missing extensions produce the same errors
6:38 PM
@Zweasta Does your config point to an extension that’s missing or broken?
6:43 PM
Though I do see that in the stderr output
z

Zweasta

07/24/2020, 6:52 PM
@seph The issue is resolved using this
--config_plugin=filesystem --config_path=/dev/null
s

seph

07/24/2020, 6:57 PM
Do you know why?
z

Zweasta

07/24/2020, 7:11 PM
Nope, I didn't dig further.. As it was only seen in one single machine.. I got this solution from @theopolis . Maybe he must be having some more info regarding this
s

seph

07/24/2020, 7:12 PM
I’m glad it solved your problem. I expect stderr would have more information, and I might guess there’s something pointing at a bad extension
z

Zweasta

07/24/2020, 7:13 PM
Yep.. I think the same..
theopolis

theopolis

07/24/2020, 8:12 PM
Sorry, I haven't had time to help debug further. I'll DM you now
s

seph

07/24/2020, 8:41 PM
@theopolis I tossed some notes into a github issue. May not be news to you
theopolis

theopolis

07/24/2020, 8:50 PM
Yeah I wanted to explore the actual configuration in use. It's better to do that privately.
s

seph

07/24/2020, 8:50 PM
👍