apt_sources and Deb822-style format

Question

apt_sources and Deb822-style format

Opened this issue 4 months ago · 0 comments

ardroci commented 4 months ago

Bug report

What operating system and version are you using?

version = 12 (bookworm)
build =
platform = debian

What version of osquery are you using?

version = 5.7.0

What steps did you take to reproduce the issue?

Osquery "apt_sources" query execution, is failing with the message "Cannot open file for reading: /etc/apt/sources.list". The error occurs as this query relies on the existence of a file that is not present on the filesystem.

I've adhered to the Deb822-style format (https://repolib.readthedocs.io/en/latest/deb822-format.html), and as part of the configuration, I deliberately exclude the "etc/apt/sources.list" file.
It's noteworthy that Osquery currently does not inspect files with the ".sources" extensions.

# 1. adhered to Deb822-style format
# 2. delete /etc/apt/sources.list
# 3. run the following command
osqueryi --line "select name from apt_sources;"
W0125 19:24:02.123013  5283 glog_logger.cpp:34] Cannot open file for reading: /etc/apt/sources.list

What did you expect to see?

A list of repository names.

What did you see instead?

osqueryi --line "select name from apt_sources;"
W0125 19:24:02.123013  5283 glog_logger.cpp:34] Cannot open file for reading: /etc/apt/sources.list