https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
l

Luis Gomez

05/26/2021, 7:15 AM
Does anybody know why I could be having an issue where all entries in 
osquery_schedule
have a 
last_executed = 0
? I have enabled the osx-attack pack but no queries seem to be running, I left the default Intervals and I'm using filesystem logging. If this is not the right place to ask this let me know where thanks! :)
I'm also wondering what's the best way to debug this.
a

allister

05/26/2021, 8:44 AM
the daemon is running?
what is configuring the schedule, is it a local conf or over TLS from a server?
l

Luis Gomez

05/26/2021, 8:50 AM
it's all in my local computer
daemon is running
Copy code
➜  ~ sudo osqueryctl status
com.facebook.osqueryd is running. pid: 10799
a

allister

05/26/2021, 8:52 AM
what's the interval on the attacks pack?
I'm seeing every hour for a lot of them, has it output logs multiple times?
actually these are all differentials
I saw the same thing you did the first time I did an adhoc run, but now a few weeks after scheduling some snapshots/differentials I get unix timestamps for that key
l

Luis Gomez

05/26/2021, 8:57 AM
is it normal that in the 
osquery_schedule
table
all entries have 
last_executed = 0
?
I was expecting not to find log entries in 
osqueryd.results.log
which is fine
specially for the osx-attack pack
but I was looking for a confirmation that the queries where running
the interval is 3600 seconds in all the queries of the pack by default
I also tried to lower one of the queries' interval to 120 seconds to see if that was it
but no luck so far
a

allister

05/26/2021, 9:00 AM
when it has nothing to report is has nothing to report
l

Luis Gomez

05/26/2021, 9:00 AM
of course
but should not appear somewhere that the query was executed by the scheduler?
a

allister

05/26/2021, 9:01 AM
I'm not sure how that field gets evaluated if it has no results, but I also don't think like a security person, I think like an inventory/auditing person - I'm mostly running snapshots
l

Luis Gomez

05/26/2021, 9:04 AM
so my question is mostly how to find out when a certain query was executed by the scheduler, cause I thought the 
last_executed
column in the 
osquery_schedule
was doing that but not sure anymore
I do have default scheduled query in the conf which adds results on the log
system_info one
but that also shows last_executed = 0
a

allister

05/26/2021, 9:49 AM
has it been running for longer than ~24 hours?
I mean that shouldn't make a difference, but
l

Luis Gomez

05/26/2021, 10:11 AM
yeah
z

zwass

05/26/2021, 3:08 PM
Are you running 
osquery_schedule
in 
osqueryi
?
l

Luis Gomez

05/26/2021, 4:02 PM
the query yes
SELECT * from osquery_schedule WHERE last_executed > 0 ;
running this query in 
osqueryi
gives nothing
is it because it's a virtual db?
I thought maybe it would connect to the RocksDB for this stuff
but I'm new to osquery so it's still unclear to me 🙂
z

zwass

05/26/2021, 4:21 PM
This is a common misconception
Both processes cannot connect to the same DB, so osqueryi has no access to the schedule info
However, there is a new functionality that can be helpful with this. See https://twitter.com/fleetctl/status/1387376047516053508
l

Luis Gomez

05/26/2021, 4:32 PM
oh nice!
thanks for the clarification @zwass!
🍻 1
plusone 1
z

zwass

05/26/2021, 4:37 PM
(typically you want to schedule a query for the 
osquery_schedule
table, but that new 
.connect
command is a good option for ad-hoc analysis)
l

Luis Gomez

05/26/2021, 4:44 PM
makes sense, ad-hoc is good mostly for checking quickly that the query runs as it should
💯 1
3 Views
Powered by