Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi all, working on improving some checks for our deployed endpoint , to check if an application feature is enabled or disabled, we need to inspect a file for :

```...
"actual" : "on",
...```
When the feature is disabled we get:

```...
"actual" : "off(reason=disabledManually)",
...```
Any direction on how to check the value of a line in a file, I suspect we may need carves enabling but am keen to hear if there are alternatives, thank you in advance :man-bowing:

hey <@U3TNCHLSY>, carving would definitely work, but depending on how the file is structured: one could write an augeas lens or a yara signature to match on that

You could also use the `file_lines` table (<https://github.com/macadmins/osquery-extension/blob/main/main.go#L53>) from the macadmins extension. If you are using Orbit, this is bundled already.

To update this thread, the solution chosen would be to employ the use of `augeas` table, ensuring the appropriate augeas lense is present to parse the json file in question; currently this is planned future work;