osquery ERROR: transport error

[aszurnasirpal]

Hi,

While executing it on x64 linux (ubuntu) I see some errors in log:

2022-12-09 21:03:20 [fennec:422] ERROR Unable to execute osquery SQL query 'select cmdline,cwd,disk_bytes_read,disk_bytes_written,egid,euid,gid,name,nice,on_disk,parent,processes.path,md5,pgroup,pid,resident_size,root,sgid,start_time,state,suid,system_time,threads,total_size,uid,user_time,wired_size from processes JOIN hash USING (path)', ERROR: Unable to execute the query 'select cmdline,cwd,disk_bytes_read,disk_bytes_written,egid,euid,gid,name,nice,on_disk,parent,processes.path,md5,pgroup,pid,resident_size,root,sgid,start_time,state,suid,system_time,threads,total_size,uid,user_time,wired_size from processes JOIN hash USING (path)', ERROR: transport error

2022-12-09 21:03:26 [fennec:422] ERROR Unable to execute osquery SQL query 'SELECT path,md5,username,groupname,permissions FROM suid_bin JOIN hash USING (path)', ERROR: Unable to execute the query 'SELECT path,md5,username,groupname,permissions FROM suid_bin JOIN hash USING (path)', ERROR: transport error

2022-12-09 21:03:30 [fennec:422] ERROR Unable to execute osquery SQL query 'select * from groups join user_groups using (gid) join users using (uid)', ERROR: Unable to execute the query 'select * from groups join user_groups using (gid) join users using (uid)', ERROR: transport error

2022-12-09 21:03:37 [fennec:422] ERROR Unable to execute osquery SQL query 'select * from file where path like "/home/%%"', ERROR: Unable to execute the query 'select * from file where path like "/home/%%"', ERROR: transport error

2022-12-09 21:03:41 [fennec:422] ERROR Unable to execute osquery SQL query 'select * from file where path like "/root/%%"', ERROR: Unable to execute the query 'select * from file where path like "/root/%%"', ERROR: transport error

others queries are running fine.

[AbdulRhmanAlfaifi]

Hello,
Could you share the OS version and steps to reproduce

[aszurnasirpal]

OS: Ubuntu 22.04.1 LTS x86_64
Host: KVM/QEMU
Kernel: 5.15.0-1025-oracle

The program was executed without any switches: sudo ./fennec_linux_x86_64

[aszurnasirpal]

I uploaded log to pastebin

[AbdulRhmanAlfaifi]

I was able to reproduce the the issue you are facing. Fennec will timeout with queries that take more than the three seconds. This issue is actually in the osquery-rs library. It is a simple fix, I will be working on this and will let you know when it is fixed so you can check if it is working for you.

Thanks!

[AbdulRhmanAlfaifi]

Hi,
I just committed the changes. I added a timeout option -t to Fennec so you can set it depending in your system, by default it is 60 seconds. You can wait for the pipeline to finish creating the release or you can clone the repo and build it. I will keep this issue open until you test it and confirm it is working

Thank you for reporting this issue!

[aszurnasirpal]

Thanks for the quick update. I'm currently compiling the Fennec and will let you know how this new version behaves.

[aszurnasirpal]

I'm happy to report that this fix works as expected ;) This time output .json files were correctly created, and there are no more errors in fennec.log. So you can close this issue.