https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello all! I have a query using the apps table, a...
# fleet
m
Hello all! I have a query using the apps table, and I would like to see the users that are associated with the apps that are found. From what I can tell, the only piece of information that's the same across the apps table and the users or logged_in_users table is the Host column, which doesn't seem to be query-able. Is there a way to include the users associated with the apps?
u
Hi @Mike S. (osquery) ! How are you using this data? Are you running live queries or scheduled queries?
m
Hi @Kathy Satterlee Right now it's live queries
u
Are you looking to narrow down which applications are system wide vs user specific, or just wanting to have a quick view of the users on the host in the query results?
m
Here's the query - SELECT bundle_executable,last_opened_time, datetime(last_opened_time, 'unixepoch') AS last_opened_time FROM apps WHERE bundle_executable LIKE 'redacted' AND last_opened_time > strftime('%s', 'now', '-7 days'); Basically we'd want to see the user(s) associated with the host that ran the application we're looking for without running a separate query.
u
You could certainly join the users table, I'd likely do a group concat on that so that you don't get back a million rows. Let me throw something together.
m
Awesome, thank you!
k
I haven't forgotten about you @Mike S.
m
@Kathy Satterlee No worries, take your time.
k
This looks like a good starting place:
Copy code
WITH local_users AS (
 SELECT 
   GROUP_CONCAT (username, ', ') AS user_list
 FROM users 
 WHERE type <> 'special' 
   AND shell NOT LIKE '%/false' 
   AND shell NOT LIKE '%/nologin' 
   AND shell NOT LIKE '%/shutdown' 
   AND shell NOT LIKE '%/halt' 
   AND username NOT LIKE '%$'
) 
SELECT bundle_executable,
  datetime(last_opened_time, 'unixepoch') AS   last_opened_time,
  user_list
FROM apps 
JOIN local_users
WHERE apps.last_opened_time > strftime('%s', 'now', '-7 days');
m
Perfect, thank you!
I just threw in the bundle_executable name at the bottom and I'm golden.
k
Brilliant. The user query might need some tweaking, but it seems to get the job done fairly well as is.
m
Looks good to me - the output is pretty easy to understand: Example: account, _uucp, user1, user2, root
Open in Slack
PreviousNext
Powered by