This will select the latest boot time from the Apple System Log data structure. Any thoughts on this query? will it always work?
SELECT MAX(asl.time) boot_time FROM asl WHERE asl.sender = 'bootlog';
SELECT * from system_info WHERE NOT EXISTS (SELECT * FROM processes WHERE name LIKE "%auditd%");
does not return any results
SELECT * FROM file WHERE filename LIKE "%example%"
but I'm getting this error
"WITH forbidden_commands(cmd) AS (SELECT * FROM (values (\"rsync\"), (\"ngrok\"), (\"curl\"), (\"scp\"), (\"nc\")) ) SELECT username, uid, command FROM shell_history JOIN forbidden_commands on shell_history.command LIKE (\"%\" || forbidden_commands.cmd || \"%\") JOIN users USING(uid);
It looks like it is joining against the users table,?
W0514 12:24:23.284471 17017 virtual_table.cpp:959] The shell_history table returns data based on the current user by default, consider JOINing against the users table
on a schedule, does that read the whole
select * from shell_history
every time, or does it diff it in some way?
looking at getting process name for anything in
osquery> select distinct lp.pid, p.name, lp.port, lp.protocol, lp.family from listening_ports lp cross join processes p where lp.family <> '' and lp.port > 0 and lp.port not in ("80", "443");
that's not 80 or 443?
SELECT * FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Office\%'
data structures that represent the tables independently of sqlite. In particular, I'm looking into how
works. Any pointers would be much appreciated! Is there a primer on how tables work under the hood?
statement in some queries where I need to calculate the percentage. For example
I expect the percentage to have
SELECT path, type, ROUND((blocks_available * blocks_size * 10e-10), 2) AS free_gb, ROUND ((blocks_available * 1.0 / blocks * 1.0) * 100, 2) AS free_perc FROM mounts WHERE path = '/';
after the decimal point, but instead I get values like
. Can anyone tell why this is or how I can fix this? These long numbers are hard to read for percentage values.
sorry for the newb question
select hostname from system_info; select address from interface_addresses; select version from kernel_info;