Does this require the binary to be run with sudo?

[anoop2811]

Looks like a very interesting project. I installed the latest stable version of osquery (4.3.0 as we speak) and when I try to run :

sudo ./kube-query -socket=/Users/xxxxx/.osquery/shell.em -kubeconfig=/Users/xxxxx/.kube/config --timeout=10

I see that the osqueryd logs are stuck at

I0609 21:16:44.540201 97325056 interface.cpp:108] Registering extension (kube-query, 1615, version=, sdk=)

Any idea what might be going wrong there?

[danielsagi]

Hi @anoop2811 Thanks for taking an interest in kube-query! Sorry for the delay on our part, can you provide more info? What is your osquery setup? Are you using the osqueryi shell?

[anoop2811]

Hi @danielsagi , I installed the latest osquery from their website. Also I was using the osqueryd and not the shell.

[danielsagi]

Hi @anoop2811 , I can't quite understand your issue. If i refer your title, so yes. kube-query should be run as root to access the osquery socket. But if you use the osqueryd to run scheduled queries, you might want to pass the --extensions_autoload=/etc/osquery/extensions.load and not run the binary manually

About the message you see "Registering extension (kube-query, 1615, version=, sdk=)", this is a normal log, do you run osqueryd with --verbose ? if not, you should not see more logs from the extension. now when you say it is stuck, do you have some scheduled queries which are not running?