https://github.com/osquery/osquery logo
Join Slack
Powered by
I have an issue where parameters in `osquery.conf`...
# general
j
I have an issue where parameters in 
osquery.conf
seems ignored. I'm on Linux and I used the default conf file from 
/usr/share/osquery/osquery.example.conf
and I just set up the parameter 
"disable_tables": "chrome_extensions",
but when I start 
osqueryi
or 
osqueryd
the table is still available. Same if I explicitely provide the conf file 
osqueryi --config_path=/etc/osquery/osquery.conf
I don't understand what I do wrong
It works only when I used the flag 
--disable_tables=chrome_extensions
s
The table will be visible with 
disable_tables
flag, but just not query-able
On querying, you should get an error along the lines of no such table
Is that not the case?
j
my issue is really "the conf file is ignored" none parameters are taking into account . I have 
Error: no such table: chrome_extensions
when I use the flag but not when I use the config file
s
Ah okay, I am on mobile, so can’t currently look into it. This sounds like a bug, can you open an issue on GitHub mentioning what osquery and Linux version you are running?
j
yes it sound like a bug. I'm using the lateest version 4.0.2. The bug is also here in Windows OS
ok I'll open an issue (but maybe not today)
s
Did this get solved as part of the windows quoting stuff in https://osquery.slack.com/archives/C0FHNQ2N6/p1573557161158200
j
this specific problem (cannot read ...) has been solved yes. But here I report another problem that seems to be a bug in the latest version of osquery. I have the issue on windows too (I'll check later on macos)
s
On macos, I’m seeing something a bit weird, but with a normal text file this works:
Copy code
dover:~ seph$ cat /tmp/c.conf 
{ "options": { "disable_tables": "chrome_extensions" } }
dover:~ seph$  /usr/local/kolide-k2/bin/osqueryd -S --config_path /tmp/c.conf 
Using a virtual database. Need help, type '.help'
osquery> select version from osquery_info;
+---------+
| version |
+---------+
| 4.0.2   |
+---------+
osquery> select * from chrome_extensions;
Error: no such table: chrome_extensions
(It fails if I use process substitution)
So, what is your config file? Can you share a full example?
j
i send you my config file in mp
fyi we found a bug. When a query is defined in 
decorators
the config file is ignored
s
j
thank you very much 🙂
s
load ones are supposed to effect at load time, so there may be a specific bug where the load doesn’ty happen, and then the config bails? Not sure
5 Views
Open in Slack
PreviousNext
Powered by