What does `return code 78` mean in osquery ?
# general
What does
return code 78
mean in osquery ?
Can you provide more context? Is this reproducible? If so, how
process = subprocess.run(['osqueryi', '--json', 'select * from os_version'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
gives no output and when I checked the
return code it says 78
And I faced this issue only on a single machine out of 6 machines that I checked on osquery on.
Exit code 78 is related to pre-defined exit codes in both Linux and BSD (/usr/include/sysexists.h). If I had to guess this one outlier has a different version of Python and libraries / eggs compared to the 5 functional machines.
I usually run using python3, so I uninstalled and installed the python3, but still no change. I still get the 78 error code..
Do you have any idea on how to fix this ?
osquery is a universal interface to collect telemetry and inspect hosts across multiple OS. Common usage patterns are running
 with filesystem or tls logging.
It’s important to know the exact Python 3 version as subprocess modules behavior does change within the various 3.x variants. Try something like …
Copy code
subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE,          shell=use_shell, universal_newlines=True)
Even without python3 (subprocess)
$osqueryi --json 'select * from os_version'
{"build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}
$echo $?
I am getting output in this way, but at the end (after printing 
 in the above output) it
hangs for 2 seconds
and the osqueryi process ends. But, when I check the return code - It says 78
I think I found it. Still digging
Seems to happen if I specify an extension that cannot be executed. eg:
Copy code
touch no-exec
osqueryd --ephemeral --extension `pwd`/no-exec --allow-unsafe
Missing extensions produce the same errors
@Zweasta Does your config point to an extension that’s missing or broken?
Though I do see that in the stderr output
@seph The issue is resolved using this
--config_plugin=filesystem --config_path=/dev/null
Do you know why?
Nope, I didn't dig further.. As it was only seen in one single machine.. I got this solution from @theopolis . Maybe he must be having some more info regarding this
I’m glad it solved your problem. I expect stderr would have more information, and I might guess there’s something pointing at a bad extension
Yep.. I think the same..
Sorry, I haven't had time to help debug further. I'll DM you now
@theopolis I tossed some notes into a github issue. May not be news to you
Yeah I wanted to explore the actual configuration in use. It's better to do that privately.