Hello everyone, which channel would be the ideal t...
# general
Hello everyone, which channel would be the ideal to get some support with the
configuration? I'm struggling to get some of the
the configuration set into my
.. Performing a simple
select * from osquery_flags;
doesn't return any of the flags set in my
. Realy appreciate your help.
Here (or stack overflow) are both great places to ask.
configuration set into my osquery.db
This doesn’t really sound correct.
is a bunch of mostly ephemeral state. It’s not something you get things into. You’re trying to pass flags along to a running
. (or “osquery daemon”)
Anyhow…. So you’re setting an osquery.flags file. How are you starting osquery? Are you passing along that path?
Hey @seph, thanks for getting back to me...
I tried heaps searching on stackoverflow, etc.. but I search a lot that even ended up joining this slack...
@seph, the problem in my project is that we have some unit tests that perform the
based in some values returned from
select * from osquery_flags
This is how I'm starting it:
sudo osqueryctl start
Performing a
sudo osqueryctl status
● osqueryd.service - The osquery Daemon
Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2020-03-16 21:54:08 UTC; 5s ago
Process: 15029 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
Process: 15028 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
Main PID: 15030 (osqueryd)
Tasks: 17 (limit: 4915)
CGroup: /system.slice/osqueryd.service
├─15030 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
└─15032 /usr/bin/osqueryd
Osqueryctl should be a light wrapper around systemctl. That status makes it look like it's using etc/osquery/osquery.flags is that the file you're you're editing? Was osquery restarted after your changes?
Yes it was...
I think I solved by adding two flags when performing the query
--flagfile when performing osqueryi and --disable_database
osqueryi has nothing to do with osqueryd here. I'm not sure you're testing what you hope to be testing? What are you trying to do?
I was performing a query
osqueryi SELECT name || \' \' || value FROM osquery_flags;" --list
And the tests were validating if fields from result of this query were set properly... Example:
its(:stdout) { should include 'host_identifier hostname' }
Got it?
What is the intent of that test? You mentioned
is mostly unrelated.
So you’re testing that osqueryi parsed the flags file as you expected. If you’re writing chefspec/serverspec/etc to verify the flags file was created, great. But osqueryctl and osqueryd are completely different.
Yes, the tests are exactly for that.
Ah, cool
Yes, I may not have the full understanding of that yet.
Apologies for that
I think about osquery as a translation layer between sql and some os api. You run
select * from processes
and osquery does something akin to
ps | sql-transform
That there’s a thing called
in the middle is misleading.
the db is used to track state for things like differential logging.
Generally speaking, osquery is not a database. There is not a set of things that feed a db, which is queried. There’s a set of virtual tables which hit underlying os APIs
Thanks so much for your explanation.