https://github.com/osquery/osquery logo
Join Slack
Powered by
First time I’m building osquery since endpoint sec...
# core
s
First time I’m building osquery since endpoint security merged, and I’m running into issues…. This is a Big Sur 11.4 machine, with whatever Xcode came from the apple store.
Copy code
[ 87%] Building CXX object osquery/events/CMakeFiles/osquery_events.dir/darwin/openbsm.cpp.o
/Users/seph/checkouts/osquery/osquery/osquery/events/darwin/endpointsecurity.cpp:179:35: error: no member named 'global_seq_num' in 'es_message_t'
    ec->global_seq_num = message->global_seq_num;
                         ~~~~~~~  ^
/Users/seph/checkouts/osquery/osquery/osquery/events/darwin/endpointsecurity.cpp:213:57: error: no member named 'cwd' in 'es_event_exec_t'
      ec->cwd = getStringFromToken(&message->event.exec.cwd->path);
                                    ~~~~~~~~~~~~~~~~~~~ ^
2 errors generated.
s
taking a look, give me a bit
iirc one needs to pass in the SDK version, let me take a look
s
I was building as:
Copy code
cmake -DCMAKE_OSX_DEPLOYMENT_TARGET=10.12 ..
cmake --build . -j $(sysctl -n hw.ncpu)
s
Are you building with just the command line tools, or the full Xcode intall?
s
Should be the full ones. Pretty sure the dev tools errored out much sooner, so I had to upgrade
Copy code
miniseph:build seph$ xcode-select -p
/Applications/Xcode.app/Contents/Developer
t
(ideas from the 'maybe it will work department') Are you using an older ./build from months ago? Sometimes I find that a 
mv ./build ./build2; mkdir build; cd build; cmake ..
sort of thing fixes bugs.
s
Shouldn’t be, I spun up this Big Sur machine when I started. But it’s an easy thing to try.
s
Okay, I am downloading 11.4 RC/beta, but my internet is slow today and taking a while
s
:scratches head: I don’t get it. I rm’ed build and rebuilt. This time it worked. So, clearly some kind of user error. But I’m pretty sure I’d started afresh
😅 1
Aw well. Thanks for prodding on the Teddy, sorry to bother you Sharvil
metal 1
p
I've also encountered this same error when building on a Mac But since Mac ci builds seem to work i assumed it was an issue on my system or something else on my system I tried multiple different SDK types I'm pretty sure I also tried removing the build dir But I will try deleting that again
s
What version is your Mac? We recently started needing Catalina or later for the builds
p
Big sur
m
no member named 'global_seq_num' in 'es_message_t'
I think that field specifically was added in Big Sur, so, this might be an issue of linking or building with Catalina
The Endpoint Security code is guarded by a conditional like 
if (__builtin_available(macos 10.15, *))
— maybe something like that is needed for whether it captures 
global_seq_num
or not (except 
macOS 11
)
s
Okay, I was successfully able to build latest osquery, without any issues, on fresh installs of 10.15 latest (catalina), 11.3.1 (big sur) and 11.5 Beta (11.4 is in RC and apple just kept redirecting me to 11.5). I also tested those with XCode 12.3, 12.4 and 12.5 Beta, and it worked across all versions.
I also did an ad-hoc codesign of 
osqueryd
and confirmed that it runs and gives expected results, no matter what macOS version osqueryd is compiled on
If anyone is still facing build issues, please let me know, I can help troubleshoot, the other thing to check would be where 
xcode-select -p
is pointing to.
The 
global_seq_num
field is only present on big sur, so the 
no member name
error makes more sense on catalina (which is why we need 10.12 as minimum and full XCode for building on catalina) -- As Teddy suggested, I am guessing this is a stale 
build
or 
ccache
somewhere.
__builtin_available
guards are there so that osquery built on catalina and newer, continues to run on 10.14 mojave and earlier (where ESF doesn't exists) and doesn't complain for missing symbols
15 Views
Open in Slack
PreviousNext
Powered by