https://github.com/osquery/osquery logo
Join Slack
Powered by
Another Query !... How to write the C++ Query to g...
# general
p
Another Query !... How to write the C++ Query to get fetch the list of users from the system ? like select uid from users; (edited) require a help for even the above issue.
m
I am surprised we don't have any SDK example of reading from an osquery core table using an extension. This is possible, right? @Stefano Bonicatti
s
I think it is possible by doing something like 
osquery::SQL::selectFrom
👆 1
s
Yeah in general anything that gets translated to a registry call then can travel through the thrift connection. In the past as far as I recall we had the, problematic, ability to write the rocksdb database from extensions
https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/sql/sql.cpp#L126-L135 This is a more advanced view of what you can do and need more digging in the source code (I cannot too list the things you can do ^^’)
p
Another query related to same issue:
auto sw_vers = SQL::selectAllFrom("plist", "path", EQUALS, kVersionPath); kVersionPath = '/System/Library/CoreServices/SystemVersion.plist' fetchs the empty data. please look into this
please find the screenshot from the xcode
Screenshot 2022-09-07 at 12.13.55 AM.png
m
Is this in osquery's code, or in your extension?
Building from the latest code, on macOS 12.5.1, osquery reports the correct values in the 
os_version
table
p
see my xcode hierarchy:
Screenshot 2022-09-07 at 9.20.20 AM.png
verify the macosx deployment target from xcode
Screenshot 2022-09-07 at 9.21.53 AM.png
Any resolution on my questions!.....
Even I got same issue after upgrading my xcode to 13.4.1.
m
How are you querying the 
os_version
table? When I tested it, it was 
select * from os_version;
in 
osqueryi
6 Views
Open in Slack
PreviousNext
Powered by