What does `return code 78` mean in osquery osquery #general

What does `return code 78` mean in osquery ?

Zweasta

06/19/2020, 11:29 PM

What does

return code 78

mean in osquery ?

Jams

06/20/2020, 3:07 AM

Can you provide more context? Is this reproducible? If so, how

Zweasta

06/20/2020, 3:13 AM

process = subprocess.run(['osqueryi', '--json', 'select * from os_version'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)

Zweasta

06/20/2020, 3:14 AM

print(process.stdout)

gives no output and when I checked the

return code it says 78

Zweasta

06/20/2020, 3:15 AM

And I faced this issue only on a single machine out of 6 machines that I checked on osquery on.

Jams

06/20/2020, 3:34 AM

Exit code 78 is related to pre-defined exit codes in both Linux and BSD (/usr/include/sysexists.h). If I had to guess this one outlier has a different version of Python and libraries / eggs compared to the 5 functional machines.

Zweasta

06/20/2020, 3:49 AM

I usually run using python3, so I uninstalled and installed the python3, but still no change. I still get the 78 error code..

Zweasta

06/20/2020, 3:49 AM

Do you have any idea on how to fix this ?

Jams

06/20/2020, 4:29 AM

osquery is a universal interface to collect telemetry and inspect hosts across multiple OS. Common usage patterns are running

osqueryd

with filesystem or tls logging.

Jams

06/20/2020, 4:32 AM

It’s important to know the exact Python 3 version as subprocess modules behavior does change within the various 3.x variants. Try something like …

Copy code

subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE,          shell=use_shell, universal_newlines=True)

Zweasta

06/20/2020, 11:49 AM

Even without python3 (subprocess)

$osqueryi --json 'select * from os_version'

{"build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}

Zweasta

06/20/2020, 11:49 AM

$echo $?

Zweasta

06/20/2020, 12:14 PM

I am getting output in this way, but at the end (after printing

"]"

in the above output) it

hangs for 2 seconds

and the osqueryi process ends. But, when I check the return code - It says 78

seph

07/24/2020, 6:33 PM

I think I found it. Still digging

seph

07/24/2020, 6:35 PM

Seems to happen if I specify an extension that cannot be executed. eg:

Copy code

touch no-exec
osqueryd --ephemeral --extension `pwd`/no-exec --allow-unsafe

seph

07/24/2020, 6:36 PM

Missing extensions produce the same errors

seph

07/24/2020, 6:38 PM

@Zweasta Does your config point to an extension that’s missing or broken?

seph

07/24/2020, 6:43 PM

Though I do see that in the stderr output

Zweasta

07/24/2020, 6:52 PM

@seph The issue is resolved using this

--config_plugin=filesystem --config_path=/dev/null

seph

07/24/2020, 6:57 PM

Do you know why?

Zweasta

07/24/2020, 7:11 PM

Nope, I didn't dig further.. As it was only seen in one single machine.. I got this solution from @theopolis . Maybe he must be having some more info regarding this

seph

07/24/2020, 7:12 PM

I’m glad it solved your problem. I expect stderr would have more information, and I might guess there’s something pointing at a bad extension

Zweasta

07/24/2020, 7:13 PM

Yep.. I think the same..

theopolis

07/24/2020, 8:12 PM

Sorry, I haven't had time to help debug further. I'll DM you now

seph

07/24/2020, 8:41 PM

@theopolis I tossed some notes into a github issue. May not be news to you

theopolis

07/24/2020, 8:50 PM

Yeah I wanted to explore the actual configuration in use. It's better to do that privately.

seph

07/24/2020, 8:50 PM

👍

Open in Slack

Previous Next