https://github.com/osquery/osquery logo
Powered by
#core
Title
i

Ian

02/19/2023, 4:01 AM
Hey friends, I've spun up osquery on a test macos machine (Ventura) -- I used brew to install 5.7.0, and ran 
sudo osqueryctl start
after copying the example configuration file to osquery.conf. I've been playing around with the packs here: https://github.com/chainguard-dev/osqtool but for reasons that aren't apparent to me, I'm getting errors about tables missing in /var/log/osquery/osqueryd.INFO:
Copy code
E0218 19:28:57.638203 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_sketchy-fetcher-events: no such table: process_events
E0218 19:29:05.149111 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-privilege-escalation_macos: no such table: signature
E0218 19:29:16.931692 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-env-values-macos: no such table: process_envs
I even took the output here 
osqueryi --list "select name, default_value from osquery_flags
and after text replacing, and adding '--' to the beginning of each line, sent the results to osquery.flags to make sure the defaults were all set. osqueryi sees those tables just fine. I did add osquery to 'Full Disk Access' in macos perms. What am I missing here? I see osqueryd running as root in 
ps
output. I've attempted to toggle some of the settings -- like enabling most of the audit_allow choices, and making sure the relevant disable-* settings were set to false.
osquery.flags
I did see this at the top of that log file, but don't have a clue which configuration flag is disabling the event_tapping publisher, or why the system configuration network publisher is not used:
Copy code
I0218 21:06:33.474051 -241893056 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used
I0218 21:06:33.474445 -241893056 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configuration
Okay, this is really strange:
Copy code
$ ls -la /var/osquery/osquery.em
srwxr-xr-x  1 root  wheel  0 Feb 18 21:06 /var/osquery/osquery.em

$ sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> .connect /var/osquery/osquery.em
Connected to extension socket /var/osquery/osquery.em for debugging
[*]osquery> select * from osquery_info;
Error: no such table: osquery_info
[*]osquery>
Is this some kinda macOS M* processor thing? Guess I'll try uninstalling the brew package and see if I get better results with the normal pkg installer.
That didn't make a difference, however if I remove that osquery.flags file and replace it with an empty file, I'm at least able to query the osquery_info table after connecting. It's got to be something about that osquery.flags file...
kk, got it working by just truncating all the default stuff out of that flags file. Now all it contains is:
Copy code
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--disable_endpointsecurity=false
--disable_endpointsecurity_fim=false
--enable_file_events=true
--enable_keyboard_events=true
--enable_mouse_events=true
--enable_yara_string=true
curious if anyone here can spot which of those entries is hosing osquery like that! One thing I tried was removing all lines that didn't have a value after the equals sign, but that didn't help.
s

Stefano Bonicatti

02/19/2023, 10:04 AM
--enable_tables=processes
is the cause likely; that disables everything else except that table
Also that’s not a default (the default is empty)
Powered by