Hi all! I have a series of queries I pulled from ...
# fleetm
Mike S.
11/06/2024, 3:58 PMHi all! I have a series of queries I pulled from https://github.com/chainguard-dev/osquery-defense-kit - they are all in .sql format, and it looks like fleetctl ingests yaml files for queries. Do I need to convert them, or is there some method to pull them in as-is?
z
Zay Hanlon
11/06/2024, 4:09 PMhey @Mike S. - you can follow the guide for importing groups of queries via fleetctl https://fleetdm.com/guides/import-and-export-queries-in-fleet#basic-article
m
Mike S.
11/06/2024, 4:18 PMThank you Zay! It look like we'll need to convert these from the SQL format to a YAML format that Fleet recognizes. Are there any conversion tools available? I have around 270 queries I would need to convert manually.
b
Brock Walters
11/06/2024, 5:14 PMHi @Mike S. We don't have any official linting / tooling for an operation like this (that I know of, there may be some cool yaml population thing on Homebrew...) but i think this is something you could do with sed, kind of a find & replace operation. If you can give me a couple of examples of what you are trying to put in the yaml I may be able to give an example of how to do this with a shell script. Thanks!
Brock Walters
11/06/2024, 5:53 PM@Mike S. now that I've thought about it for a minute
yqBrock Walters
11/06/2024, 5:53 PM Copy code
yq -i '
.a.b[0].c = "cool" |
.x.y.z = "foobar" |
.person.name = strenv(NAME)
' file.yamlz
Zay Hanlon
11/06/2024, 6:02 PM@Mike S. sorry! i missed that part of the question
m
Mike S.
11/06/2024, 6:19 PM@Zay Hanlon No worries!
Mike S.
11/06/2024, 6:21 PM@Brock Walters I'll check that out! As for examples, here's a couple:
last.sql
-- Retrieves the list of the latest logins with PID, username and timestamp.
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
last;
---------------
dns_resolves.sql
-- Return the list of configured DNS servers on this system
--
-- tags: postmortem
-- platform: posix
SELECT
*
FROM
dns_resolvers;
b
Brock Walters
11/07/2024, 3:43 AMHi @Mike S. So, this is a little hacky, but should give you the idea. It is totally dependent on the formatting you sent above (I am using shell commands to parse the format...)
Copy code
#!/bin/bash
sqlfile='/Users/brock/Desktop/sql.txt'
tmpfile='/private/tmp/tmp.yml'
ymlfile='/Users/brock/Desktop/sql.yml'
while read -r line
do
case "$line" in
*.sql ) sqlarry+=("$line") ;;
esac
done < "$sqlfile"
for i in "${sqlarry[@]}"
do
sqlrcrd="$(/usr/bin/sed -n "/$i/,/^----/p" "$sqlfile")"
sqlname="$(echo "$sqlrcrd" | /usr/bin/sed -n '1p')"
sqldesc="$(echo "$sqlrcrd" | /usr/bin/sed -n 's/-- //g;2p')"
sqlqrry="$(echo "$sqlrcrd" | /usr/bin/awk '/^-- platform:/{flag=1;next}/^----.*/{flag=0}flag' | /usr/bin/sed 's/[[:space:]]//g' | /usr/bin/tr '\n' ' ' | /usr/bin/sed 's/[[:space:]]*$//g')"
/usr/bin/touch "$tmpfile"
/opt/homebrew/bin/yq -i ".apiVersion=\"v1\" | .kind=\"query\" | .spec.description=\"$sqldesc\" | .spec.name=\"$sqlname\" | .spec.query=\"$sqlqrry\"" "$tmpfile"
cat "$tmpfile" >> "$ymlfile"
echo '---' >> "$ymlfile"
/bin/rm -f "$tmpfile"
done Copy code
apiVersion: v1
kind: query
spec:
description: Retrieves the list of the latest logins with PID, username and timestamp.
name: last.sql
query: SELECT * FROM last;
---
apiVersion: v1
kind: query
spec:
description: Return the list of configured DNS servers on this system
name: dns_resolves.sql
query: SELECT * FROM dns_resolvers;
---m
Mike S.
11/07/2024, 6:18 PMThis is great, thank you!
7 Views