Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set packs using the Remote Settings API #3381

Open
thedrow opened this issue Jun 3, 2017 · 6 comments
Open

Set packs using the Remote Settings API #3381

thedrow opened this issue Jun 3, 2017 · 6 comments
Labels
feature remote

Comments

@thedrow
Copy link
Contributor

thedrow commented Jun 3, 2017

The Remote Settings API only allows to either schedule queries to be executed immediately or using the schedule.
You cannot activate or deactivate query packs using the Remote Settings API AFAICT.
This feature should be supported.
@theopolis
Copy link
Member

Hey @thedrow, want to clarify a bit, do you mean you cannot affect the schedule or configured packs via the 'distributed' query endpoints?

@thedrow
Copy link
Contributor Author

thedrow commented Jun 4, 2017

It seems that the distributed API does not allow to set the packs configured for an osqueryd process. The API only affects the schedule.

@obelisk
Copy link
Contributor

obelisk commented Jun 6, 2017
edited

If you use remote configuration you can do this though correct? Remote configuration can also be set to update periodically.

@thedrow
Copy link
Contributor Author

thedrow commented Jun 8, 2017

I am using remote configuration. Packs are not being set.

@pubkraal
Copy link

I'd like to bump this issue. I've been trying to configure packs using the TLS configuration, and the client logs these requests as:

config.cpp:683] Error reading the query pack named: osx-attacks

While if you'd use the exact same osquery.conf from filesystem it functions fine.

@Smjert Smjert added feature and removed question labels Dec 28, 2019
@javuto
Copy link
Contributor

javuto commented May 15, 2020
edited

Bumping this issue since I am experimenting the same issue. Running osquery 4.2.0 and using the sample files /usr/share/osquery/packs/osquery-monitoring.conf and /usr/share/osquery/packs/incident-response.conf. Using the same files from a local configuration the packs are loaded properly.

Configuration used:

{
  "options": {
    "schedule_splay_percent": 0,
    "verbose": true
  },
  "schedule": {
    "uptime": {
      "query": "SELECT * FROM uptime;",
      "interval": 60
    }
  },
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    "incident-response": "/usr/share/osquery/packs/incident-response.conf"
  }
}

While using the local configuration and provided with --config_path, it loads and queries start running:

I0515 03:07:00.921052 19669 scheduler.cpp:96] Executing scheduled query pack_osquery-monitoring_osquery_info: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
I0515 03:07:00.967929 19669 scheduler.cpp:159] Found results for query: pack_osquery-monitoring_osquery_info

While using TLS plugin to deliver the same configuration, the error is the same as mentioned above:

W0515 03:16:55.525812 20306 config.cpp:687] Error reading the query pack named: osquery-monitoring
W0515 03:16:55.525852 20306 config.cpp:687] Error reading the query pack named: incident-response

Note that using the content of those files, and just pasting it as a JSON object, to be delivered as configuration, it works as expected so it must be a problem with reading the external file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature remote
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@thedrow @Smjert @pubkraal @theopolis @javuto @obelisk