• j

    Jerome

    2 years ago
    I have an issue where parameters in
    osquery.conf
    seems ignored. I'm on Linux and I used the default conf file from
    /usr/share/osquery/osquery.example.conf
    and I just set up the parameter
    "disable_tables": "chrome_extensions",
    but when I start
    osqueryi
    or
    osqueryd
    the table is still available. Same if I explicitely provide the conf file
    osqueryi --config_path=/etc/osquery/osquery.conf
    I don't understand what I do wrong
  • It works only when I used the flag
    --disable_tables=chrome_extensions
  • s

    sharvil

    2 years ago
    The table will be visible with
    disable_tables
    flag, but just not query-able
  • On querying, you should get an error along the lines of no such table
  • Is that not the case?
  • j

    Jerome

    2 years ago
    my issue is really "the conf file is ignored" none parameters are taking into account . I have
    Error: no such table: chrome_extensions
    when I use the flag but not when I use the config file
  • s

    sharvil

    2 years ago
    Ah okay, I am on mobile, so can’t currently look into it. This sounds like a bug, can you open an issue on GitHub mentioning what osquery and Linux version you are running?
  • j

    Jerome

    2 years ago
    yes it sound like a bug. I'm using the lateest version 4.0.2. The bug is also here in Windows OS
  • ok I'll open an issue (but maybe not today)
  • s

    seph

    2 years ago
    Did this get solved as part of the windows quoting stuff in https://osquery.slack.com/archives/C0FHNQ2N6/p1573557161158200
  • j

    Jerome

    2 years ago
    this specific problem (cannot read ...) has been solved yes. But here I report another problem that seems to be a bug in the latest version of osquery. I have the issue on windows too (I'll check later on macos)
  • s

    seph

    2 years ago
    On macos, I’m seeing something a bit weird, but with a normal text file this works:
    dover:~ seph$ cat /tmp/c.conf 
    { "options": { "disable_tables": "chrome_extensions" } }
    dover:~ seph$  /usr/local/kolide-k2/bin/osqueryd -S --config_path /tmp/c.conf 
    Using a virtual database. Need help, type '.help'
    osquery> select version from osquery_info;
    +---------+
    | version |
    +---------+
    | 4.0.2   |
    +---------+
    osquery> select * from chrome_extensions;
    Error: no such table: chrome_extensions
    (It fails if I use process substitution)
  • So, what is your config file? Can you share a full example?
  • j

    Jerome

    2 years ago
    i send you my config file in mp
  • fyi we found a bug. When a query is defined in
    decorators
    the config file is ignored
  • s

    seph

    2 years ago
  • j

    Jerome

    2 years ago
    thank you very much 🙂
  • s

    seph

    2 years ago
    load ones are supposed to effect at load time, so there may be a specific bug where the load doesn’ty happen, and then the config bails? Not sure