sundsta
04/03/2020, 11:21 PMProtectSystem=strict
feature. The daemon does not start, but no logs are produced. Does anyone know what changed between 4.0.2 and 4.1.1 that may have caused this? Here’s my full service unit config:
[Unit]
Description=The osquery Daemon
After=network.service syslog.service
[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/usr/bin/osqueryd \
--flagfile $FLAG_FILE \
--config_path $CONFIG_FILE
Restart=on-failure
KillMode=process
KillSignal=SIGTERM
ProtectSystem=strict
ReadWritePaths=/var/osquery /var/run /var/tmp /tmp
[Install]
WantedBy=multi-user.target
theopolis
04/03/2020, 11:44 PMsundsta
04/03/2020, 11:48 PMApr 03 23:29:50 HOST systemd[1]: osqueryd.service: Start request repeated too quickly.
Apr 03 23:29:50 HOST systemd[1]: osqueryd.service: Failed with result 'exit-code'.
Apr 03 23:29:50 HOST systemd[1]: Failed to start The osquery Daemon.
theopolis
04/03/2020, 11:51 PMsundsta
04/03/2020, 11:55 PMtheopolis
04/03/2020, 11:55 PMsundsta
04/03/2020, 11:56 PMProtectSystem=strict
option the service starts. Then, after it has run successfully, I can add the strict setting back and restart the service and it continues to work.seph
04/04/2020, 1:09 AMIf set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys
Doesn’t that mean it can’t write it’s pid file or local database files?
Does adding --verbose
add any clues?sundsta
04/05/2020, 12:14 AM/var/osquery /var/run /var/tmp /tmp
(see the immediately following line in my config) which works on 3.3.2, 3.3.4, and 4.0.2. It is running as verbose in my test VM.theopolis
04/05/2020, 12:20 AMsundsta
04/05/2020, 12:35 AM