https://github.com/osquery/osquery logo
#general
Title
# general
f

Filip

05/15/2023, 10:17 AM
im looking into documentation and i didnt find any table which i can connect with users to do this
s

seph

05/15/2023, 10:23 AM
MacOS apps table Windows programs table Linux has rpm and dpkg tables.
f

Filip

05/15/2023, 10:26 AM
are there any tables about vulnerabilities ?
our hosts are working on windows
f

fritz

05/15/2023, 1:27 PM
@Filip osquery is a host telemetry agent designed to gather information about the local device (eg. what processes are running, what underlying hardware is installed, etc.) using native APIs abstracted into relational database virtual tables. There is no table "about vulnerabilities" because that would mean the device had the feed of vulnerabilities locally available as part of its native OS. To accomplish what you are asking, you can compare local device data (eg. installed programs) against external vulnerability feeds using 3rd party integrations, logging tools, or osquery-based SaaS services that have such functionality. The only way you could accomplish what you are asking within a single query using only vanilla osquery would be something like: • Retrieve a feed of vulnerabilities from a remote endpoint using the
curl
table, • Manipulate it to match the output format/schema of your desired osquery source (eg.
programs
), by using things like
JSON_EXTRACT
to parse the feed. • Perform some sort of version comparison using SQL functions (eg.
SPLIT(version,'.',0) AS version_major)
) to determine whether the software in question is vulnerable.
f

Filip

05/16/2023, 12:14 PM
thanks @fritz, your answer is very helpful, will do that 🙂