Title
#general
h

HarlanF

03/30/2022, 2:33 PM
I wonder if this is a bug or a feature? The command
select * from users
only comes up with local users, as the documentation states. Thus, anything I join it to (like
shell_history
) is similarly only local users. However, if you put in a where clause that calls out a specific username or uid, it'll grab information about non-local users (like myself, so easy to test). Is there some way to enumerate all the users?
2:33 PM
If it matters, I'm seeing this in v5.2.2 on CentOS Stream release 8
Stefano Bonicatti

Stefano Bonicatti

03/30/2022, 2:42 PM
What do you mean non-local users in the context of Linux? How are you connecting to that machine?
2:46 PM
oh sorry you mean users through ldap for instance
2:51 PM
So this is a side effect of the underlying system APIs the osquery uses. There’s currently no way to list non-local users/domain users; the API used by osquery loops through users that are defined in
/etc/passwd
(
getpwent_r
) But when you provide a uid, that uses
getpwuid_r
which also passes through the various translation layers, if defined, like NIS or LDAP.
2:58 PM
And no, there’s currently no way to list all users. Although I wonder what all means. All the ones that the client knows (because they interacted in some way), or all the users that could interact with it? (possibly thousands of domain users?)