https://github.com/osquery/osquery logo
Powered by
Title
z

Zweasta

06/19/2020, 11:29 PM
What does 
return code 78
mean in osquery ?
j

Jams

06/20/2020, 3:07 AM
Can you provide more context? Is this reproducible? If so, how
z

Zweasta

06/20/2020, 3:13 AM
process = subprocess.run(['osqueryi', '--json', 'select * from os_version'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
print(process.stdout)
gives no output and when I checked the 
return code it says 78
And I faced this issue only on a single machine out of 6 machines that I checked on osquery on.
j

Jams

06/20/2020, 3:34 AM
Exit code 78 is related to pre-defined exit codes in both Linux and BSD (/usr/include/sysexists.h). If I had to guess this one outlier has a different version of Python and libraries / eggs compared to the 5 functional machines.
z

Zweasta

06/20/2020, 3:49 AM
I usually run using python3, so I uninstalled and installed the python3, but still no change. I still get the 78 error code..
Do you have any idea on how to fix this ?
j

Jams

06/20/2020, 4:29 AM
osquery is a universal interface to collect telemetry and inspect hosts across multiple OS. Common usage patterns are running 
osqueryd
 with filesystem or tls logging.
It’s important to know the exact Python 3 version as subprocess modules behavior does change within the various 3.x variants. Try something like … 
subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE,          shell=use_shell, universal_newlines=True)
z

Zweasta

06/20/2020, 11:49 AM
Even without python3 (subprocess) 
$osqueryi --json 'select * from os_version'
[
{"build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}
]
$echo $?
78
I am getting output in this way, but at the end (after printing 
"]"
 in the above output) it 
hangs for 2 seconds
and the osqueryi process ends. But, when I check the return code - It says 78
s

seph

07/24/2020, 6:33 PM
I think I found it. Still digging
Seems to happen if I specify an extension that cannot be executed. eg: 
touch no-exec
osqueryd --ephemeral --extension `pwd`/no-exec --allow-unsafe
Missing extensions produce the same errors
@Zweasta Does your config point to an extension that’s missing or broken?
Though I do see that in the stderr output
z

Zweasta

07/24/2020, 6:52 PM
@seph The issue is resolved using this 
--config_plugin=filesystem --config_path=/dev/null
s

seph

07/24/2020, 6:57 PM
Do you know why?
z

Zweasta

07/24/2020, 7:11 PM
Nope, I didn't dig further.. As it was only seen in one single machine.. I got this solution from @theopolis . Maybe he must be having some more info regarding this
s

seph

07/24/2020, 7:12 PM
I’m glad it solved your problem. I expect stderr would have more information, and I might guess there’s something pointing at a bad extension
z

Zweasta

07/24/2020, 7:13 PM
Yep.. I think the same..
t

theopolis

07/24/2020, 8:12 PM
Sorry, I haven't had time to help debug further. I'll DM you now
s

seph

07/24/2020, 8:41 PM
@theopolis I tossed some notes into a github issue. May not be news to you
t

theopolis

07/24/2020, 8:50 PM
Yeah I wanted to explore the actual configuration in use. It's better to do that privately.
s

seph

07/24/2020, 8:50 PM
👍
#generalJoin Slack
Powered by