Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

hey <@U06FS72M2EB> what version of Fleet are you running, and is this a macOS Windows or Linux host?

do you have access to the Fleet database?

<https://github.com/fleetdm/fleet/issues/19581> - we have an issue filed to track the ability to cancel scripts (not prioritzed into a sprint yet, but something we want to get to this year). there may be a hack-y way to get around this, but depends on the host

The host is a linux host running plain osquery (not fleet)

Then you're good! The lock script will never send. You can either delete the host from Fleet so that it re-enrolls or you can manually remove the pending script from the Fleet database.

If you'd like to go with the database option, I can send over a query for you.

Aways proceed with caution when altering the Fleet database. That being said, this is a pretty low-risk change to make, you just need the host_id in question:

```DELETE FROM host_script_results WHERE host_id= <host id>```

Will give that a try. But seems weird that there's no way to cancel a pending lock/wipe/etc.


I can imagine a scenario where e.g. an employee reports a device as lost, so a wipe is scheduled; but then found again in a powered off state: booting it just for it to get wiped would seem terrible!

That would be a great note to add to the feature request Zay linked! 

The feature request linked seems to be particularly about scripts getting cancelled.
The above scenario wouldn't be from the scripts page I imagine; but also for non-linux devices wouldn't even be a script?

<@U06FS72M2EB> for macOS that's correct - those are MDM commands vs scripts. we've got a separate issue to track those: <https://github.com/fleetdm/fleet/issues/9645>

commands are executed within seconds for online hosts, so this would really only apply to offline devices to try and catch the command/cancel before it's booted or on boot

for your specific question, linux hosts lock and wipe are executed as scripts so the cancel scripts issue should address it :slightly_smiling_face:

<@U02KY9FDA59> I ran that now, and now the host page is a 404

```mysql&gt; delete from host_script_results where host_id=12;
Query OK, 1 row affected (0.01 sec)```
And now `<https://myfleet.myurl/hosts/12>`  is a 404

Sorry, James. Might need to clean something else up, give me one minute.

Can you share what the error for that looks like in the Fleet server logs?

ah, found it I think:
```level=error ts=2024-07-29T15:00:02.779758622Z component=http user=james@turnkey.io method=GET uri="/api/latest/fleet/hosts/12?exclude_software=true" took=23.876556ms err="get host mdm lock/wipe status: get lock reference script result: : HostScriptResult 62eb5e55-54e3-4d69-a799-24d10e6dedb8 was not found in the datastore" uuid=86881ec5-aace-4292-8811-ec7793885da1```

Here we go:

```DELETE from host_mdm_actions WHERE host_id = 12```

If that doesn't 100% solve it, we can hop on Zoom.

Brilliant! Sorry for the oversight on that.