Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mustafa
07/17/2018, 10:00 AMwe’ve encountred some problems with osquery mass deployment. (into osquery…wxs file) we added InstallScope=“perMachine” to <Package Comments=“Facebooks opensource host intrusion detection agent” Compressed=“yes” Description=“osquery standalone installer” InstallerVersion=“100” Languages=“1033" Manufacturer=“Facebook” Platform=“x86" InstallScope=“perMachine”/>
(we use dark.exe, candle.exe, light.exe for this process)
it solved some of our problems related with deployment and also installing, unsintalling, repairing
You can try this to see whether solve your problems
r
Rich5
07/17/2018, 12:18 PMthanks. We'll give that a try.
m
Mustafa
07/17/2018, 12:29 PMbefore we added this code part, the application did not use to appear on add/remove control panel when it deployed through AD
Also before we added this code part, the application size used to increase at every upgrade process when deployed through AD (displayed size on add/remove control panel)
Lastly, as a general osquery issue… application size continues to increase at every repair process also… (right click the application and click repair and see it on add/remove control panel…)
r
Rich5
07/17/2018, 12:44 PMThat's all good to know. I appreciate it
Did you ever experience osqueryd not starting because of a locked database after upgrading?
m
Mustafa
07/17/2018, 12:49 PMhimm.. I didn’t test it. actually I have it upgraded it succesfuly but didn’t think to check the service. i will check thanks
are you sure that it was because of locked database? or you mean folder permissions
r
Rich5
07/17/2018, 12:52 PMSorry yeah it was permissions
m
Mustafa
07/17/2018, 12:57 PMactually there shouldn’t be a problem.. because osquery.db folder isn’t uninstalled from the system by uninstall process and this should be valid for upgrade process i think… so although you can’t access to the folder by double click, the System account(osqueryd service is using that account) is able to access to this folder
it is weird if you encounter with this issue
r
Rich5
07/17/2018, 1:04 PMHmm ok I'm pretty sure the permissions caused an issue for us. I'll need to test again to make sure
m
Mustafa
07/17/2018, 3:02 PMhi, I’m testing the case now. I will inform you (i’m testing the case with the msi file which i built, 3.2.4 and 3.2.6)
upgrade succesful and test OK. after upgrade process, i’m able to query the client and the results pushed to fleet server. No problem with osqueryd service and the osquery.db folder
r
Rich5
07/17/2018, 3:09 PMok great. Thanks for that. After we change the wix file maybe we won't see any issues or it might be environmental