Channels
#kolide
Title
s
Seán O'Halloran
06/25/2020, 8:56 PMAll our osquery agents seem to have stopped sending results after updating to macOS v10.15.5. The only indication that something is wrong is that these errors are being spammed incessantly. Any ideas?
Copy code
default 16:55:42.162116-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163414-0400 osqueryd dbBlobVersion() failed for a CssmError: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163752-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.165359-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.166820-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.168652-0400 osqueryd CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXISTt
terracatta
06/25/2020, 11:26 PM
Sean, this appears to be a non-osquery specific issue, but I've not seen it before and I have not witnessed it occuring on 10.15.5 devices in my purview.
I found this stackoverflow thread that might be helpful https://apple.stackexchange.com/questions/280442/how-to-identify-a-missing-datastore-for-com-apple-securityd
t
theopolis
06/25/2020, 11:45 PM
I wonder if osquery is also consistently crashing after running a keychain-related query?
t
terracatta
06/25/2020, 11:54 PM
possibly, but in my testing I can repro a crash on either of the keychain tables on 10.15 via distributed queries over TLS
10.15.5 that is
t
theopolis
06/26/2020, 12:07 AM
You “can” reproduce?
t
terracatta
06/26/2020, 12:11 AM
can't...sorry
s
Seán O'Halloran
06/26/2020, 3:46 PM@terracatta @theopolis this is another error which gets thrown up as soon as osqueryd starts:
Any ideas for diagnosing this? My problem is that the agents are online and actually respond to ad-hoc queries, but they’re not posting the results of scheduled queries to the Fleet server. I can even see these results being written locally to
/var/log/osquery/osqueryd.results.log7 Views