@seph @fritz JFYI, I was wrong about line breaks is sql statements, real issue was

path

field, this field is kinda reserved or something, so ATC table can't contain such field in any form not

path

nor

Path

or

PATH

. If custom ATC table contains

path

osqueryd returns:

E0108 18:52:27.938575 33708 virtual_table.cpp:584] Error creating virtual table: trusted_binaries (1): SQLITE_ERROR

Hrm. IIRC defining path is a warning, not a fatal error

Well above is an actual message which almost drove me to the hair pulling point 🙂

Are you sure the underlying SQLite db has a path column?

That's my table

That lists path twice?

yes, first

path

was injected by osquery, and second

Path

is mine

Anyhow, I'm not in a position to generate test cases today, or review code. I'm not sure it's the existence of path, vs something else in you sql -- we have tables with path in them.

so once I've replaced my

Path

with

File

it works

@seph , @slevchenko is not wrong, i have run into the same fatal error where defining a column in the atc config as the name:

path

causes issues because it is reserved

Okay. I made a test case. I spent a bit of time playing with this. I'm not totally sure, but... 1. You can absolutely have an ATC with a

path

column. You'll get a warning about it being not suported. 2. In osquery, this appears to be a case sensitive set of operations. we check for a

path

column, and if found, emit a warning and don't add the osquery defined one. 3. But if you create a

Path

column, osquery doesn't know. 4. sqlite appears to be case insensitive. 5. So you can end up with a conflicting

Path

and

path

. You could get this by definging both a

path

and a

Path

column.

Thanks @seph, one bug less. I'm glad if my post helped even in slightest.

Thank you for reporting it!