https://github.com/osquery/osquery logo
Join Slack
Powered by
Does anyone know of a limit of any kind on the `sy...
# general
j
Does anyone know of a limit of any kind on the 
systemd_units
table that would prevent showing everything available that you'd expect to see using 
systemctl list-units --all
from the command line?
Here's what I think I see. On a node that has 1700+ unit files listed, osquery shows only 1000 of them.
f
if you manually set "LIMIT 2000" in your query does the result change? maybe there is a default limit (i don't think so but just to rule it out)
j
It doesn't. If there's a limit, it might be in the dbus api layer so the data wouldn't ever reach the "sql layer" of osquery.
s
both the command and osquery run with the same user? Otherwise not sure; it should use the same communication channel so there's something that's not handled/requested.
j
Yes. Root in all cases.
s
mmm if it's 1000 precisely might be that there's something that chunks the results and we are not looping.
something as in the specific dbus interface we are hitting
ah no ok, found it, there's an hardcoded limit.
j
rats. where's the limit defined?
s
f
💥
j
Should we increase the max or make it configurable?
s
I mean it depends on how it behaves when increasing that number; it seems reasonable to me to increase it or have something configurable to increase it, but I cannot say which one of the two without knowing the impact.
26 Views
Open in Slack
PreviousNext
Powered by