Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
Praveen Kumar
09/03/2022, 2:38 PMAnother Query !...
How to write the C++ Query to get fetch the list of users from the system ? like select uid from users; (edited)
require a help for even the above issue.
m
Mike Myers
09/06/2022, 5:00 PMI am surprised we don't have any SDK example of reading from an osquery core table using an extension. This is possible, right? @Stefano Bonicatti
s
sharvil
09/06/2022, 5:16 PMI think it is possible by doing something like
osquery::SQL::selectFromAh, here is an example -- https://github.com/trailofbits/osquery-extensions/blob/master/network_monitor/src/dnseventspublisher.cpp#L62 🙂
s
Stefano Bonicatti
09/06/2022, 5:22 PMYeah in general anything that gets translated to a registry call then can travel through the thrift connection.
In the past as far as I recall we had the, problematic, ability to write the rocksdb database from extensions
https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/sql/sql.cpp#L126-L135
This is a more advanced view of what you can do and need more digging in the source code (I cannot too list the things you can do ^^’)
p
Praveen Kumar
09/06/2022, 6:41 PMAnother query related to same issue:
auto sw_vers = SQL::selectAllFrom("plist", "path", EQUALS, kVersionPath); kVersionPath = '/System/Library/CoreServices/SystemVersion.plist' fetchs the empty data. please look into this
please find the screenshot from the xcode
m
Mike Myers
09/06/2022, 7:43 PMIs this in osquery's code, or in your extension?
Building from the latest code, on macOS 12.5.1, osquery reports the correct values in the
os_versionp
Praveen Kumar
09/07/2022, 3:50 AMsee my xcode hierarchy:
verify the macosx deployment target from xcode
Any resolution on my questions!.....
Even I got same issue after upgrading my xcode to 13.4.1.
m
Mike Myers
09/09/2022, 7:33 PMHow are you querying the
os_versionselect * from os_version;osqueryi