Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
defensivedepth
06/02/2022, 7:55 PMI have a number of Launcher clients that are stuck running osquery 4.5.1, because the (updated) downloaded osqueryd is failing with a
segementation fault{
"binary": "/usr/local/launcher/bin/osqueryd-updates/1652735666/osqueryd",
"binaryName": "osqueryd",
"caller": "findnew.go:207",
"fullBinaryPath": "/usr/local/launcher/bin/osqueryd",
"level": "error",
"msg": "not executable. Skipping",
"reason": "signal: segmentation fault",
"ts": "2022-06-02T14:04:21.625141787Z",
"updateDir": "/usr/local/launcher/bin/osqueryd-updates"
}/usr/local/launcher/bin/osqueryd-updates/{
"binaryName": "osqueryd",
"caller": "autoupdate.go:165",
"level": "debug",
"msg": "Created Updater",
"stagingPath": "/var/launcher/securityonion/osqueryd-staging",
"ts": "2022-06-02T19:44:59.357491281Z",
"updater": "osqueryd",
"updatesDirectory": "/usr/local/launcher/bin/osqueryd-updates"
}s
seph
06/03/2022, 2:17 AMThere’s a lot to unpack here.
Why is
/usr/local/launcher/bin/osqueryd-updates/1652735666/osqueryd“Stuck” is a bit odd — launcher doesn’t really get stuck per se. What it does is download updates when they happen, and then try to run them. If it can run a file on local disk, it’ll skip that.
But…. launcher only runs updates when they happen. It has no real concept of what version is should run, just whether or not there has been a change.
One way to force it to notice and re-update is to remove the local tuf store. This is less scary than it sounds — launcher will rebuild it from what’s baked into the binary.
On your machines, that’s probably
var/launcher/securityonion/osqueryd-tufd
defensivedepth
06/03/2022, 8:42 PMThanks for the thoughts, still working on this. Removing the local tuf store & restarting launcher does not appear to force it to re-update, but it could be a timing issue. Double-checking some things.
{
"binaryName": "osqueryd",
"caller": "findnew.go:230",
"fullBinaryPath": "/usr/local/launcher/bin/osqueryd",
"level": "debug",
"msg": "no updates found",
"ts": "2022-06-03T20:26:44.163520332Z",
"updateDir": "/usr/local/launcher/bin/osqueryd-updates"
}s
seph
06/03/2022, 8:47 PMHow long did you wait after restarting launcher? The updaters default to a 30 or 60 minut deay
d
defensivedepth
06/03/2022, 8:49 PMya, thats what I mean RE: Timing. Had an issue with the test system I was working with and it rebooted, so not sure if it hit that 60min timer yet
ah looks like osqueryd has an update delay of 90min
s
seph
06/03/2022, 8:54 PM60 and 90 I guess. Seems believable.
d
defensivedepth
06/03/2022, 8:55 PMStill not sure the root cause of the issue