Hi all I m trying to set up my own sqlite database with the osquery #general

Hi all, I'm trying to set up my own sqlite databas...

Stijn Tilborghs

01/05/2024, 12:30 PM

Hi all, I'm trying to set up my own sqlite database with the complete osquery (5.9.1) schema, for running some experiments. To do this I need the

create

statements of the entire schema for all OS's (277 tables according to https://www.osquery.io/schema/5.9.1 ).

.schema

is what I need, but it returns only 182 tables on my macbook. I also tried

.tables

and

SELECT * FROM osquery_registry

Any suggestions on how to get all 277 tables?

Stefano Bonicatti

01/05/2024, 1:05 PM

Hi @Stijn Tilborghs, that's because not all tables are present on all platforms. You can parse the JSON used by the website to generate that page, which has the information for each table: https://github.com/osquery/osquery-site/blob/source/src/data/osquery_schema_versions/5.10.2.json

Stijn Tilborghs

01/05/2024, 1:07 PM

I was afraid this might be the case 😅 Thanks Stefano.

Stefano Bonicatti

01/05/2024, 1:11 PM

There are also the spec files that osquery uses to generate the C++ for the tables: https://github.com/osquery/osquery/blob/master/specs/arp_cache.table

Stefano Bonicatti

01/05/2024, 1:12 PM

If that's simpler, given that the JSON is generated from those files in the end

Stefano Bonicatti

01/05/2024, 1:12 PM

Stijn Tilborghs

01/05/2024, 1:12 PM

The json looks good, probably not that much work. Alternatively I may just spin up a windows + linux VM and run osquery there.

Stijn Tilborghs

01/05/2024, 1:14 PM

Thanks for the links!

2 Views