https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

Jerome

11/13/2019, 9:04 AM
I have an issue where parameters in 
osquery.conf
seems ignored. I'm on Linux and I used the default conf file from 
/usr/share/osquery/osquery.example.conf
and I just set up the parameter 
"disable_tables": "chrome_extensions",
but when I start 
osqueryi
or 
osqueryd
the table is still available. Same if I explicitely provide the conf file 
osqueryi --config_path=/etc/osquery/osquery.conf
I don't understand what I do wrong
It works only when I used the flag 
--disable_tables=chrome_extensions
s

sharvil

11/13/2019, 9:42 AM
The table will be visible with 
disable_tables
flag, but just not query-able
On querying, you should get an error along the lines of no such table
Is that not the case?
j

Jerome

11/13/2019, 9:54 AM
my issue is really "the conf file is ignored" none parameters are taking into account . I have 
Error: no such table: chrome_extensions
when I use the flag but not when I use the config file
s

sharvil

11/13/2019, 10:09 AM
Ah okay, I am on mobile, so can’t currently look into it. This sounds like a bug, can you open an issue on GitHub mentioning what osquery and Linux version you are running?
j

Jerome

11/13/2019, 10:14 AM
yes it sound like a bug. I'm using the lateest version 4.0.2. The bug is also here in Windows OS
ok I'll open an issue (but maybe not today)
s

seph

11/13/2019, 1:21 PM
Did this get solved as part of the windows quoting stuff in https://osquery.slack.com/archives/C0FHNQ2N6/p1573557161158200
j

Jerome

11/13/2019, 1:24 PM
this specific problem (cannot read ...) has been solved yes. But here I report another problem that seems to be a bug in the latest version of osquery. I have the issue on windows too (I'll check later on macos)
s

seph

11/13/2019, 1:47 PM
On macos, I’m seeing something a bit weird, but with a normal text file this works:
Copy code
dover:~ seph$ cat /tmp/c.conf 
{ "options": { "disable_tables": "chrome_extensions" } }
dover:~ seph$  /usr/local/kolide-k2/bin/osqueryd -S --config_path /tmp/c.conf 
Using a virtual database. Need help, type '.help'
osquery> select version from osquery_info;
+---------+
| version |
+---------+
| 4.0.2   |
+---------+
osquery> select * from chrome_extensions;
Error: no such table: chrome_extensions
(It fails if I use process substitution)
So, what is your config file? Can you share a full example?
j

Jerome

11/13/2019, 2:01 PM
i send you my config file in mp
fyi we found a bug. When a query is defined in 
decorators
the config file is ignored
s

seph

11/13/2019, 2:18 PM
j

Jerome

11/13/2019, 2:18 PM
thank you very much 🙂
s

seph

11/13/2019, 2:19 PM
load ones are supposed to effect at load time, so there may be a specific bug where the load doesn’ty happen, and then the config bails? Not sure
5 Views
Powered by