Does anyone know if there’s a lightweight way to q...
# generalr
Ryan
11/05/2021, 3:38 PMDoes anyone know if there’s a lightweight way to query host metadata from, say, a YAML file on a host or something similar?
Ryan
11/05/2021, 3:38 PMAn example could be metadata about a host that is generated at provisioning time, and written to a file on the host somewhere, that we could query as a table?
g
Gavin
11/05/2021, 3:39 PMhttps://github.com/macadmins/osquery-extension
File Lines table ?
r
Ryan
11/05/2021, 3:39 PMintriguing
Ryan
11/05/2021, 3:39 PMthanks for the suggestion!
f
fritz
11/05/2021, 4:02 PM@Ryan If you do not want to deal with an extension you could simply write the metadata to a plist and use the built-in
plistfritz
11/05/2021, 4:03 PMIf you need it to be multi-platform you can create an augeas lens and ship that lens to your devices.
r
Ryan
11/05/2021, 4:03 PMAh that’s a nice one to know too, though these are Linux machines, not Mac.
f
fritz
11/05/2021, 4:03 PMAnother multi-platform option is encode the data in a sqlite db and then create an ATC for that DB file
👍 1
r
Ryan
11/05/2021, 4:03 PMDo you have any examples of an Augeas lens?
f
fritz
11/05/2021, 4:04 PMThe ATC is probably the most simple option that is multi-platform
r
Ryan
11/05/2021, 4:04 PMah yeah, just reading about that now
Ryan
11/05/2021, 4:04 PMvery interesting!
Ryan
11/05/2021, 4:04 PMthanks!
f
fritz
11/05/2021, 4:04 PMI wrote up a blog post on atcs:
https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
r
Ryan
11/05/2021, 4:05 PMhaha yes that’s the one I was reading 😄
f
fritz
11/05/2021, 4:05 PM😜 You beat me to it!
fritz
11/05/2021, 4:05 PMGood luck, let me know if you have any questions.
r
Ryan
11/05/2021, 4:05 PMheheh
Ryan
11/05/2021, 4:05 PMthanks, yeah this looks very powerful/flexible
d
defensivedepth
11/05/2021, 7:56 PMIf you are just targeting Linux, you could write out the info you need to a sysctl parameter at deployment and then query it with the https://osquery.io/schema/5.0.1/#system_controls table
defensivedepth
11/05/2021, 8:09 PMTo be clear, havent tried it myself but I would think it should work
s
seph
11/06/2021, 2:58 AM
Or use a directory with cleverly named files as a rudimentary key/value store.
👍 1
seph
11/06/2021, 2:59 AM
There are some ways you can get pretty clever
➕ 2
m
Mystery Incorporated
11/08/2021, 2:10 AMEnvironment variables also work to stash and retrieve stuff but might not be great if you have a lot of stuff
r
Ryan
11/08/2021, 11:45 AMEnvironment variables? Do you have an example of that approach?
m
Mystery Incorporated
11/08/2021, 12:24 PMYup I put some values in environment variables and I have queries like:
Copy code
Windows: SELECT value FROM default_environment WHERE variable LIKE "%environment_variable_name_here%" LIMIT 1 Copy code
Ubuntu/Centos/Darwin: SELECT value FROM process_envs WHERE key LIKE "%environment_variable_name_here%" LIMIT 1Mystery Incorporated
11/08/2021, 12:25 PMSo I can set these environment variables on any device and fetch them with a query, if you control the metadata you would write it to envars instead of a file and fetch like that easy enough, but I don't know if there is size limits or what.
Mystery Incorporated
11/08/2021, 12:32 PMThis allows me to tag my hosts with like a company id and such that I can query. I then put the company name in a decorator query so I know which company the host belongs to for every query it responds to.
r
Ryan
11/09/2021, 2:49 PMOk, sounds interesting!
Ryan
11/09/2021, 2:50 PMWhen you talk about decorator queries, that’s the same as creating a label in Fleet interface or via Fleetctl right?
m
Mystery Incorporated
11/16/2021, 12:31 AM@Ryan nah labels in fleet return groups of hosts. A decorator query in osquery is a query that executes with every single query so for every query in my case it returns username, hostname and company name fetched from the envvar and it includes that with every single query executed
r
Ryan
11/23/2021, 3:23 PMahhh right, gotcha @Mystery Incorporated that’s very handy actually 🙂
👍 1
4 Views