Ian
02/19/2023, 4:01 AMsudo osqueryctl start
after copying the example configuration file to osquery.conf.
I've been playing around with the packs here: https://github.com/chainguard-dev/osqtool
but for reasons that aren't apparent to me, I'm getting errors about tables missing in /var/log/osquery/osqueryd.INFO:
E0218 19:28:57.638203 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_sketchy-fetcher-events: no such table: process_events
E0218 19:29:05.149111 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-privilege-escalation_macos: no such table: signature
E0218 19:29:16.931692 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-env-values-macos: no such table: process_envs
I even took the output here osqueryi --list "select name, default_value from osquery_flags
and after text replacing, and adding '--' to the beginning of each line, sent the results to osquery.flags to make sure the defaults were all set.
osqueryi sees those tables just fine.
I did add osquery to 'Full Disk Access' in macos perms. What am I missing here? I see osqueryd running as root in ps
output.
I've attempted to toggle some of the settings -- like enabling most of the audit_allow choices, and making sure the relevant disable-* settings were set to false.I0218 21:06:33.474051 -241893056 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used
I0218 21:06:33.474445 -241893056 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configuration
$ ls -la /var/osquery/osquery.em
srwxr-xr-x 1 root wheel 0 Feb 18 21:06 /var/osquery/osquery.em
$ sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> .connect /var/osquery/osquery.em
Connected to extension socket /var/osquery/osquery.em for debugging
[*]osquery> select * from osquery_info;
Error: no such table: osquery_info
[*]osquery>
Is this some kinda macOS M* processor thing? Guess I'll try uninstalling the brew package and see if I get better results with the normal pkg installer.--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--disable_endpointsecurity=false
--disable_endpointsecurity_fim=false
--enable_file_events=true
--enable_keyboard_events=true
--enable_mouse_events=true
--enable_yara_string=true
curious if anyone here can spot which of those entries is hosing osquery like that! One thing I tried was removing all lines that didn't have a value after the equals sign, but that didn't help.Stefano Bonicatti
02/19/2023, 10:04 AM--enable_tables=processes
is the cause likely; that disables everything else except that table