Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Seán O'Halloran
06/25/2020, 8:56 PMAll our osquery agents seem to have stopped sending results after updating to macOS v10.15.5. The only indication that something is wrong is that these errors are being spammed incessantly. Any ideas?
default 16:55:42.162116-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163414-0400 osqueryd dbBlobVersion() failed for a CssmError: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163752-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.165359-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.166820-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.168652-0400 osqueryd CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXISTt
terracatta
06/25/2020, 11:26 PMSean, this appears to be a non-osquery specific issue, but I've not seen it before and I have not witnessed it occuring on 10.15.5 devices in my purview.
I found this stackoverflow thread that might be helpful https://apple.stackexchange.com/questions/280442/how-to-identify-a-missing-datastore-for-com-apple-securityd
t
theopolis
06/25/2020, 11:45 PMI wonder if osquery is also consistently crashing after running a keychain-related query?
t
terracatta
06/25/2020, 11:54 PMpossibly, but in my testing I can repro a crash on either of the keychain tables on 10.15 via distributed queries over TLS
10.15.5 that is
t
theopolis
06/26/2020, 12:07 AMYou “can” reproduce?
t
terracatta
06/26/2020, 12:11 AMcan't...sorry
s
Seán O'Halloran
06/26/2020, 3:46 PM@terracatta @theopolis this is another error which gets thrown up as soon as osqueryd starts:
Any ideas for diagnosing this? My problem is that the agents are online and actually respond to ad-hoc queries, but they’re not posting the results of scheduled queries to the Fleet server. I can even see these results being written locally to
/var/log/osquery/osqueryd.results.log