Hash module unavailable in osquery on macOS

Question

Hash module unavailable in osquery on macOS

Closed this issue 2 months ago · 3 comments

Bug report

What operating system and version are you using?

version = 14.4
  build = 23E214
platform = darwin

What version of osquery are you using?

version = 5.2.3

What steps did you take to reproduce the issue?

Install osquery release from package,

osqueryi --disable_enrollment --verbose --line "SELECT 1 works FROM yara WHERE path like '/Users/%/Downloads/%%' AND sigrule = 'import \"hash\" rule f { condition: true }' limit 1;"

What did you expect to see?

works = 1

What did you see instead?

I0321 15:07:30.599750 -283100480 init.cpp:357] osquery initialized [version=5.2.3]
...
I0321 15:07:30.635996 -283100480 yara_utils.cpp:50] YARA rule string (1): error: unknown module "hash"
W0321 15:07:30.636147 -283100480 yara.cpp:237] YARA compile error: Compilation error 1
I0321 15:07:30.636153 -283100480 yara.cpp:335] Query must specify sig_group, sigfile, or sigrule for scan
...

Answer 1 · 2024-03-21T22:13:53.000Z

Seems to impact "magic", "dex", "dotnet", and "console" as well, though these are less problematic for me personally.

Answer 2 · 2024-03-22T14:00:18.000Z

Hello @kcreyts, that osquery version is a bit old (2 years ago), but I suspect that until 5.8.0 it might have had that issue.
We've updated Yara then and changed the CMake to build it; compiling osquery from master works on macOS for me.
Can you try with the latest release, 5.11.0, and see if it works?

Answer 3 · 2024-04-22T22:25:30.000Z

that was it!