• r

    Robin Powell

    10 months ago
    I'm trying to understand https://github.com/osquery/osquery/pull/7132 and its impact better; I have easy access to 4.9.0 in my environment but not 5.0, so, can someone give me an example of a query with
    pid_with_namespace
    query that'll actually work on 4.9? Like I think I want something like
    select * from deb_packages where pid_with_namespace=???
    , where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.
  • select * from deb_packages where pid_with_namespace=15934;
    , where 15934 is the PID of a container process, did not work for me; no output at all.
  • osquery> select * from deb_packages where pid_with_namespace=4026533189;
    E0924 18:03:15.583657 13777 linux_table_container_ipc.cpp:125] Container worker of table deb_packages exited with exit status: 1
    E0924 18:03:15.583695 13777 linux_table_container_ipc.cpp:443] Table deb_packages failed to retrieve QueryData from the container: Pipe to the table deb_packages closed while reading
    , where 4026533189 is the pid namespace id of said container, also doesn't work but in a far more interesting way.
  • If there's documentation for this somewhere, that would be fantastic. 😃
  • Stefano Bonicatti

    Stefano Bonicatti

    10 months ago
    Hi! the
    pid_with_namespace
    should indeed be compared against a pid that is running inside the container namespace
  • If there's no output, either there wasn't anything to return or maybe some low level error happened. Have you tried running with
    --verbose
    ? Btw osquery should run as root, and to get a pid to test, if the container is Docker, you could use the
    docker_containers
    table and its
    pid
    column.
  • r

    Robin Powell

    10 months ago
    Huh. I was assuming that only osqueryd needed to be running as root, but yeah, running osqueryi as root did the trick, thanks!
  • Stefano Bonicatti

    Stefano Bonicatti

    10 months ago
    osqueryi is just a symlink to osqueryd, they are the same
  • r

    Robin Powell

    10 months ago
    I'm in this weird place of having recentlly moved to a team that manages Apple's internal osquery but having not previously used it as a user, so like I've read a ton of the osquery code but I don't actually understand a lot of the basics. 😄
  • Ah, see, I assumed osqueryi was talking to the running osqueryd.
  • Stefano Bonicatti

    Stefano Bonicatti

    10 months ago
    it's a trick where osqueryd reads how it has been launched and if it's has been launched as
    osqueryi
    it shows the shell.
    osqueryd -S
    is another way to get the shell. So it's all the same binary that needs those permissions 🙂
  • r

    Robin Powell

    10 months ago
    Got it, thanks.
  • Can you confirm that if I don't specify
    pid_with_namespace
    , it's not going to try to talk to containers when I just do a normal query from one of these tables? I've looked at the code and I'd place money that that's correct, that it only talks into containners when
    pid_with_namespace
    is given, but I'd love confirmation.
  • s

    seph

    10 months ago
    Ah, see, I assumed osqueryi was talking to the running osqueryd. This is a common assumption, but osquery is completely different. 🙂
    Though it looks like a database, it’s much closer to an API translation layer. Run
    select * from x
    and that’s translated into some API call, and massaged into sqlite, and returned. in that light, osqueryi and osqueryd are totally separate, both launch that same translation layer.
  • events are a bit caveat here, those are more like a traditional db
  • And you can use
    .connect
    to connect an osqueryi to a running osqueryd, but those are the special cases
  • Stefano Bonicatti

    Stefano Bonicatti

    10 months ago
    A bit of a late response about the
    pid_with_namespace
    , when it’s not present, and yes that’s correct. The column exists to say to the table to join the namespace of the container to permit the container querying, otherwise the table behaves as normal, querying the host.
  • We have some columns that behave like logic/behavior switches, and they normally are marked as
    additional
    in the table spec file; for instance for
    deb_packages
    :https://github.com/osquery/osquery/blob/551f3f65f5b4dd97511d892e396d44bd5ee3cb08/specs/linux/deb_packages.table#L16
  • r

    Robin Powell

    10 months ago
    Thanks!