Osquerybeat Permission Error - No Queries possible

We are using Elastic-Stack 8.16.1 and also Elastic-Agents 8.16.1 integrated in Elastic Fleet. Currently, we are having problems with Osquery on Windows Systems where we traced the problem down to the following errors:

image2191×832 49.7 KB

In the osquerybeat logs we see the following errors:

16:40:12.234 elastic_agent.osquerybeat osquery-default [elastic_agent.osquerybeat][info] osquerybeat stopped.
16:40:12.234 elastic_agent.osquerybeat osquery-default [elastic_agent.osquerybeat][error] Exiting: W1203 16:40:11.932215 14944 extensions.cpp:426] Will not autoload extension with unsafe directory permissions: C:\Program Files\Elastic\Agent\data\elastic-agent-8.16.1-b6da7f\components\osquery-extension.exe
W1203 16:40:12.007649 14944 fileops.cpp:1339] Failed to apply safe permssions to the database
E1203 16:40:12.022356 14944 shutdown.cpp:79] Cannot activate osq_config config plugin: Unknown registry plugin: osq_config: exit status 78
16:40:12.234 elastic_agent.osquerybeat osquery-default [elastic_agent.osquerybeat][error] Exiting: W1203 16:40:11.932215 14944 extensions.cpp:426] Will not autoload extension with unsafe directory permissions: C:\Program Files\Elastic\Agent\data\elastic-agent-8.16.1-b6da7f\components\osquery-extension.exe
16:40:12.234 elastic_agent.osquerybeat osquery-default [elastic_agent.osquerybeat][error] W1203 16:40:12.007649 14944 fileops.cpp:1339] Failed to apply safe permssions to the database
16:40:12.234 elastic_agent osquery-default [elastic_agent][info] Unit state changed osquery-default-8615bf9b-fad7-4cb2-ad5c-742f22f5f330 (HEALTHY->STOPPING): Stopping
16:40:12.234 elastic_agent osquery-default [elastic_agent][info] Unit state changed osquery-default (HEALTHY->STOPPING): Stopping
16:40:12.235 elastic_agent.osquerybeat osquery-default [elastic_agent.osquerybeat][error] E1203 16:40:12.022356 14944 shutdown.cpp:79] Cannot activate osq_config config plugin: Unknown registry plugin: osq_config: exit status 78
16:40:12.243 elastic_agent osquery-default [elastic_agent][info] Component state changed osquery-default (HEALTHY->STOPPED): Suppressing FAILED state due to restart for '13820' exited with code '1'
16:40:12.243 elastic_agent osquery-default [elastic_agent][info] Unit state changed osquery-default-8615bf9b-fad7-4cb2-ad5c-742f22f5f330 (STOPPING->STOPPED): Suppressing FAILED state due to restart for '13820' exited with code '1'
16:40:12.243 elastic_agent osquery-default [elastic_agent][info] Unit state changed osquery-default (STOPPING->STOPPED): Suppressing FAILED state due to restart for '13820' exited with code '1'

We have this issue since Upgrade to Elastic-Stack 8.16.1 and rollout out the new Agents to 8.16.1. Bevore we were areound 8.15.x.

image1920×892 280 KB

What we found as a workaround:

In the folder "C:\Program Files\Elastic\Agent\data\elastic-agent-8.16.1-b6da7f\run\osquery-default\osquery" editing the file "osquery.flags" and adding the line "--allow_unsafe" seems to resolve the issue however this is not recommended to do so according to the osquery documentation.

and ofc. when setting the option in the osquery manager integration policy it works too:

image1395×1442 140 KB

osquery/osquery#3727 mentions :
In order for an osquery binary, daemon or extension, to be considered “safe”, the following must hold true:

1. The owner of the binary and containing parent directory is the Administrators group
2. No lower privileged user account has Write permissions on either the binary or the containing parent directory.
3. (Optional) the SYSTEM account may have full permissions on the binary and the containing parent directory.

Can you check that under C:\Program Files\Elastic\Agent that the above conditions apply

command C:\Program Files\Elastic\Agent\data\elastic-agent-8.16.1-b6da7f> icacls * might help to verify why it is considered unsafe for osquery binaries or their parent folder (if osquery binaries have permissions outside of Administrators group that is inherited from a parent folder that would lead to the issue)