https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello everyone, which channel would be the ideal t...
# general
h
Hello everyone, which channel would be the ideal to get some support with the 
osquery
configuration? I'm struggling to get some of the 
osquery.flags
the configuration set into my 
osquery.db
.. Performing a simple 
select * from osquery_flags;
doesn't return any of the flags set in my 
osquery.flags
. Realy appreciate your help.
s
Here (or stack overflow) are both great places to ask.
configuration set into my osquery.db
This doesn’t really sound correct. 
osquery.db
is a bunch of mostly ephemeral state. It’s not something you get things into. You’re trying to pass flags along to a running 
osqueryd
. (or “osquery daemon”)
Anyhow…. So you’re setting an osquery.flags file. How are you starting osquery? Are you passing along that path?
h
Hey @seph, thanks for getting back to me...
I tried heaps searching on stackoverflow, etc.. but I search a lot that even ended up joining this slack...
@seph, the problem in my project is that we have some unit tests that perform the 
assert
based in some values returned from 
select * from osquery_flags
...
This is how I'm starting it: 
sudo osqueryctl start
Performing a 
sudo osqueryctl status
● osqueryd.service - The osquery Daemon
Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2020-03-16 21:54:08 UTC; 5s ago
Process: 15029 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
Process: 15028 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
Main PID: 15030 (osqueryd)
Tasks: 17 (limit: 4915)
CGroup: /system.slice/osqueryd.service
├─15030 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
└─15032 /usr/bin/osqueryd
s
Osqueryctl should be a light wrapper around systemctl. That status makes it look like it's using etc/osquery/osquery.flags is that the file you're you're editing? Was osquery restarted after your changes?
h
Yes it was...
I think I solved by adding two flags when performing the query
--flagfile when performing osqueryi and --disable_database
s
osqueryi has nothing to do with osqueryd here. I'm not sure you're testing what you hope to be testing? What are you trying to do?
h
I was performing a query 
osqueryi SELECT name || \' \' || value FROM osquery_flags;" --list
And the tests were validating if fields from result of this query were set properly... Example: 
its(:stdout) { should include 'host_identifier hostname' }
Got it?
s
What is the intent of that test? You mentioned 
osqueryctl
earlier, 
osqueryi
is mostly unrelated.
So you’re testing that osqueryi parsed the flags file as you expected. If you’re writing chefspec/serverspec/etc to verify the flags file was created, great. But osqueryctl and osqueryd are completely different.
h
Yes, the tests are exactly for that.
s
Ah, cool
h
Yes, I may not have the full understanding of that yet.
Apologies for that
s
I think about osquery as a translation layer between sql and some os api. You run 
select * from processes
and osquery does something akin to 
ps | sql-transform
That there’s a thing called 
osquery.db
in the middle is misleading.
the db is used to track state for things like differential logging.
Generally speaking, osquery is not a database. There is not a set of things that feed a db, which is queried. There’s a set of virtual tables which hit underlying os APIs
h
Thanks so much for your explanation.
4 Views
Open in Slack
PreviousNext
Powered by