Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jerome
11/13/2019, 9:04 AMI have an issue where parameters in
osquery.conf/usr/share/osquery/osquery.example.conf"disable_tables": "chrome_extensions",osqueryiosquerydosqueryi --config_path=/etc/osquery/osquery.confIt works only when I used the flag
--disable_tables=chrome_extensionss
sharvil
11/13/2019, 9:42 AMThe table will be visible with
disable_tablesOn querying, you should get an error along the lines of no such table
Is that not the case?
j
Jerome
11/13/2019, 9:54 AMmy issue is really "the conf file is ignored" none parameters are taking into account .
I have
Error: no such table: chrome_extensionss
sharvil
11/13/2019, 10:09 AMAh okay, I am on mobile, so can’t currently look into it. This sounds like a bug, can you open an issue on GitHub mentioning what osquery and Linux version you are running?
j
Jerome
11/13/2019, 10:14 AMyes it sound like a bug. I'm using the lateest version 4.0.2. The bug is also here in Windows OS
ok I'll open an issue (but maybe not today)
s
seph
11/13/2019, 1:21 PMDid this get solved as part of the windows quoting stuff in https://osquery.slack.com/archives/C0FHNQ2N6/p1573557161158200
j
Jerome
11/13/2019, 1:24 PMthis specific problem (cannot read ...) has been solved yes. But here I report another problem that seems to be a bug in the latest version of osquery. I have the issue on windows too (I'll check later on macos)
s
seph
11/13/2019, 1:47 PMOn macos, I’m seeing something a bit weird, but with a normal text file this works:
dover:~ seph$ cat /tmp/c.conf
{ "options": { "disable_tables": "chrome_extensions" } }
dover:~ seph$ /usr/local/kolide-k2/bin/osqueryd -S --config_path /tmp/c.conf
Using a virtual database. Need help, type '.help'
osquery> select version from osquery_info;
+---------+
| version |
+---------+
| 4.0.2 |
+---------+
osquery> select * from chrome_extensions;
Error: no such table: chrome_extensionsSo, what is your config file? Can you share a full example?
j
Jerome
11/13/2019, 2:01 PMi send you my config file in mp
fyi we found a bug. When a query is defined in
decoratorss
seph
11/13/2019, 2:18 PMI filed this as https://github.com/osquery/osquery/issues/6041
👍 1
j
Jerome
11/13/2019, 2:18 PMthank you very much 🙂
s
seph
11/13/2019, 2:19 PMload ones are supposed to effect at load time, so there may be a specific bug where the load doesn’ty happen, and then the config bails? Not sure