Hello everyone which channel would be the ideal to get some

Question

Hello everyone which channel would be the ideal to get some support with the `osquery` configuration I m struggling to get some of the `osquery flags` the configuration set into my `osquery db` Performing a simple `select from osquery flags ` doesn t return any of the flags set in my `osquery flags` Realy appreciate your help

seph · Answer

Here or stack overflow are both great places to ask

seph · Answer

gt configuration set into my osquery db This doesn t really sound correct `osquery db` is a bunch of mostly ephemeral state It s not something you get things into You re trying to pass flags along to a running `osqueryd` or osquery daemon

seph · Answer

Anyhow So you re setting an osquery flags file How are you starting osquery Are you passing along that path

Helio Martins · Answer

Hey < seph> thanks for getting back to me

Helio Martins · Answer

I tried heaps searching on stackoverflow etc but I search a lot that even ended up joining this slack

Helio Martins · Answer

< seph> the problem in my project is that we have some unit tests that perform the `assert` based in some values returned from `select from osquery flags`

Helio Martins · Answer

This is how I m starting it `sudo osqueryctl start`

Helio Martins · Answer

Performing a `sudo osqueryctl status` ` osqueryd service The osquery Daemon` `Loaded loaded usr lib systemd system osqueryd service disabled vendor preset enabled ` `Active active running since Mon 2020 03 16 21 54 08 UTC 5s ago` `Process 15029 ExecStartPre= bin sh c if f $LOCAL PIDFILE then mv $LOCAL PIDFILE $PIDFILE fi code=exited status=0 SUCCESS ` `Process 15028 ExecStartPre= bin sh c if f $FLAG FILE then touch $FLAG FILE fi code=exited status=0 SUCCESS ` `Main PID 15030 osqueryd ` `Tasks 17 limit 4915 ` `CGroup system slice osqueryd service` ` 15030 usr bin osqueryd flagfile etc osquery osquery flags config path etc osquery osquery conf` ` 15032 usr bin osqueryd`

seph · Answer

Osqueryctl should be a light wrapper around systemctl That status makes it look like it s using etc osquery osquery flags is that the file you re you re editing Was osquery restarted after your changes

Helio Martins · Answer

Yes it was

Helio Martins · Answer

I think I solved by adding two flags when performing the query

Helio Martins · Answer

flagfile when performing osqueryi and disable database

seph · Answer

osqueryi has nothing to do with osqueryd here I m not sure you re testing what you hope to be testing What are you trying to do

Helio Martins · Answer

I was performing a query `osqueryi SELECT name || || value FROM osquery flags list`

Helio Martins · Answer

And the tests were validating if fields from result of this query were set properly Example `its stdout should include host identifier hostname `

Helio Martins · Answer

Got it

seph · Answer

What is the intent of that test You mentioned `osqueryctl` earlier `osqueryi` is mostly unrelated

seph · Answer

So you re testing that osqueryi parsed the flags file as you expected If you re writing chefspec serverspec etc to verify the flags file was created great But osqueryctl and osqueryd are completely different

Helio Martins · Answer

Yes the tests are exactly for that

seph · Answer

Ah cool

Helio Martins · Answer

Yes I may not have the full understanding of that yet

Helio Martins · Answer

Apologies for that

seph · Answer

I think about osquery as a translation layer between sql and some os api You run `select from processes` and osquery does something akin to `ps | sql transform`

seph · Answer

That there s a thing called `osquery db` in the middle is misleading

seph · Answer

the db is used to track state for things like differential logging

seph · Answer

Generally speaking osquery is not a database There is not a set of things that feed a db which is queried There s a set of virtual tables which hit underlying os APIs

Helio Martins · Answer

Thanks so much for your explanation