https://github.com/osquery/osquery logo
Join Slack
Powered by
Does osquery support `NOT EXISTS` ? I'm trying to...
# fleet
j
Does osquery support 
NOT EXISTS
? I'm trying to run a query for a policy that will return true if a process is not running... I;m running into issues.
m
It should. Can you paste the query you are trying to use?
j
SELECT * FROM processes WHERE name NOT EXISTS(SELECT name from processes WHERE name = "Google Chrome");
I get a syntax error 
Error: near "EXISTS": syntax error
- I'm new to this operator so maybe I'm doing this wrong
s
I think one can do 
1-EXISTS
trick
something like 
SELECT (1-EXISTS(SELECT name from processes WHERE name = "Google Chrome"))
m
the problematic part is 
name NOT EXISTS
, it should be
Copy code
SELECT * FROM processes WHERE NOT EXISTS (SELECT name from processes WHERE name = "Google Chrome");
But, I’m not sure exactly what you are trying to do here. Are you trying to find processes that aren’t chrome? You could do
Copy code
SELECT * from processes WHERE name != "Google Chrome";
j
I'm trying to detect if chrome is NOT running
k
I think Michal's first example is perfect for that. For simplicity's sake, I'd change the select a little:
Copy code
SELECT 1 WHERE NOT EXISTS (SELECT 1 from processes WHERE name = "Google Chrome");
That way you get your 
true
without selecting data you don't need.
Here's an example of a policy checking for something not being present: https://fleetdm.com/queries/no-1-password-emergency-kit-stored-on-desktop-or-in-downloads-mac-os
j
oh yeah, my example query was just showing more info for debugging purposes.
how is 
SELECT 1 FROM processes WHERE NOT EXISTS (SELECT name from processes WHERE name = "Google Chrome") LIMIT 1;
from your perspective ?
k
I cleaned up the example a little more 🙂
j
perfect - thanks!!
k
Since the whole "Double positive to prove a negative" thing is a little confusing.... IF the policy is "Google Chrome is not running" and you want a pass when it is not or a fail if it is, that's the right query.
j
yes, just for full clarity I'm trying to create a policy that passes if your version of Chrome is up to date OR google chrome isn't running (because you likely don't use it)
k
Thanks! Can never be too careful with twisty logic.
j
I actually did look at that one and cribbed a little from it.
Our issue is that we deliver all laptops with Google Chrome (and Firefox) - so users have a choice.. but I don't want your policy to fail if your chrome is out of date but you aren't actively using Chrome
k
Totally makes sense. I think you're querying the right thing here, assuming that you've got an integration or webhook set up for your policies so that you aren't just relying on whether they were running Chrome when the most recent policy check happened. Though if people are using Chrome it's usually always running, so that may just be a made up concern :)
j
you are following my thoughts exactly. The query isn't perfect but I'm most likely to catch "active" Chrome users with out of date browsers
do you know of any way to dynamically grab the latest version in these queries?
I was thinking of maybe using the API for Fleet and the API for endoflife.date and modifying the policy queries that way
but maybe there is an easier way
k
I feel like I ran across someone before that was using a cron job to periodically query endoflife and update the policy with either the API or 
fleetctl
Let me see what I can dig up....
j
thx!
I will likely use Tines.io for this
3 Views
Open in Slack
PreviousNext
Powered by