William Guilherme
11/10/2020, 7:13 PMDan Achin
11/10/2020, 11:24 PMdemonbhao
11/11/2020, 2:44 AMdemonbhao
11/11/2020, 9:11 AMRoyha
11/11/2020, 2:26 PMDan Achin
11/11/2020, 9:42 PMSELECT * FROM osquery_schedule;
Is this by design and how can I look at the schedule data from the interactive shell?Grant
11/13/2020, 3:48 AMBrandon
11/13/2020, 9:09 PMMystery Incorporated
11/16/2020, 4:23 AMdemonbhao
11/16/2020, 12:36 PMdabm
11/17/2020, 12:41 PMAhmed Awadelkarim
11/17/2020, 2:28 PMnode_key
? If I run osqueryd
verbose
with the tls_dump
flag, and re-run the command thats returned to me as failing, from the command line it works fine and I get a value for the node_key
I'd expect to see but in the daemon it all comes back empty:
Daemon: {"node_key":""}
CLI: {"node_key": "abc123"}
Again the command I am running from the cli is what is returned to me from osqueryd tls_dump
. I'm assuming this is likely a problem with the remote API but just want to confirm what the discrepancy may be btw the daemon and cli.Usama Nathani
11/17/2020, 9:02 PMfritz
11/18/2020, 2:40 PMmagic
table or the signature
table to discern architecture, both of these operations are relatively expensive (signature being much worse)
Example of magic:
WITH
-- retrieve paths of app binaries and get magic data
app_paths AS (
SELECT
REGEX_SPLIT(path, '/Contents/', 0) AS path,
data AS arch
FROM magic AS m
WHERE m.path IN (
SELECT file.path
FROM file JOIN apps
WHERE file.path LIKE apps.path || "/Contents/MacOS/%"
AND file.type = 'regular')
-- omit files that are not binaries
AND mime_encoding = 'binary'
-- omit symlinks
AND mime_type != 'inode/symlink'),
-- condense down result set with group by
reduce_set AS (
SELECT path, arch
FROM app_paths
GROUP BY path, arch)
-- rejoin on apps
SELECT name, arch FROM apps a CROSS JOIN reduce_set rs on a.path = rs.path;
+--------------------------------------------+---------------------------------+
| name | arch |
+--------------------------------------------+---------------------------------+
| 1Password 7.app | Mach-O 64-bit executable x86_64 |
| A Better Finder Rename <http://10.app|10.app> | Mach-O 64-bit executable x86_64 |
| Acrobat <http://Distiller.app|Distiller.app> | Mach-O 64-bit executable x86_64 |
| Adobe <http://Acrobat.app|Acrobat.app> | Mach-O 64-bit executable x86_64 |
| Adobe After Effects <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Adobe Audition <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Adobe DNG <http://Converter.app|Converter.app> | Mach-O 64-bit executable x86_64 |
| Adobe <http://Illustrator.app|Illustrator.app> | Mach-O 64-bit executable x86_64 |
| Analyze <http://Documents.app|Documents.app> | Mach-O 64-bit executable x86_64 |
| Make <http://Calendar.app|Calendar.app> | Mach-O 64-bit executable x86_64 |
| Contact <http://Sheets.app|Sheets.app> | Mach-O 64-bit executable x86_64 |
| Web <http://Gallery.app|Gallery.app> | Mach-O 64-bit executable x86_64 |
| Adobe InDesign <http://2021.app|2021.app> | Mach-O 64-bit executable x86_64 |
| Adobe <http://Lightroom.app|Lightroom.app> | Mach-O 64-bit executable x86_64 |
| Adobe Media Encoder <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Adobe Photoshop <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Adobe Premiere Pro <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Alfred 3.app | Mach-O 64-bit executable x86_64 |
| <http://Atom.app|Atom.app> | Mach-O 64-bit executable x86_64 |
| Backup and <http://Sync.app|Sync.app> | Mach-O 64-bit executable x86_64 |
| Capture One <http://10.app|10.app> | Mach-O 64-bit executable x86_64 |
| Capture One <http://12.app|12.app> | Mach-O 64-bit executable x86_64 |
| Capture One <http://20.app|20.app> | Mach-O 64-bit executable x86_64 |
| <http://Charles.app|Charles.app> | Mach-O 64-bit executable x86_64 |
| CorelDRAW Graphics Suite <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Corel Font Manager <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| Corel PHOTO-PAINT <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| CorelDRAW <http://2020.app|2020.app> | Mach-O 64-bit executable x86_64 |
| <http://CraftManager.app|CraftManager.app> | Mach-O 64-bit executable x86_64 |
Zach Zeid
11/18/2020, 5:08 PMdemonbhao
11/19/2020, 8:51 AMMacear
11/20/2020, 10:56 AMJuan Alvarez
12/01/2020, 11:52 AMgit clone <https://github.com/osquery/osquery>
cd osquery
# Configure
mkdir build; cd build
cmake -G "Visual Studio 16 2019" -A x64 ..
# Build
cmake --build . --config RelWithDebInfo -j10 # Number of projects to build in parallel
cmake --build . --config RelWithDebInfo --target package
Thanks 🙂abhatem
12/01/2020, 3:33 PMJuan Alvarez
12/01/2020, 6:49 PMdemonbhao
12/02/2020, 7:11 AMjby
12/02/2020, 8:59 AMZach Zeid
12/03/2020, 5:41 PMosqueryi
without loading a conf or flags file?Dan Achin
12/03/2020, 9:10 PMMystery Incorporated
12/05/2020, 12:06 PMeric m
12/05/2020, 9:09 PMZach Zeid
12/08/2020, 2:36 PMBen Montour
12/08/2020, 5:38 PMosqueryslackfree
For everyone else, use code osqueryslack
for 25% off.
Both offers will expire on Sat. 12/12.
Get tickets here:Â https://www.eventbrite.com/e/osqueryscale-2021-explore-from-home-tickets-126588572829
To make sure that this promotion is seen by the community, please don’t share these promotions outside of this Slack channel.Tao Jiang
12/08/2020, 6:09 PMalessandrogario