Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Ryan
11/05/2021, 3:38 PMDoes anyone know if there’s a lightweight way to query host metadata from, say, a YAML file on a host or something similar?
An example could be metadata about a host that is generated at provisioning time, and written to a file on the host somewhere, that we could query as a table?
g
Gavin
11/05/2021, 3:39 PMhttps://github.com/macadmins/osquery-extension
File Lines table ?
r
Ryan
11/05/2021, 3:39 PMintriguing
thanks for the suggestion!
f
fritz
11/05/2021, 4:02 PM@Ryan If you do not want to deal with an extension you could simply write the metadata to a plist and use the built-in
plistIf you need it to be multi-platform you can create an augeas lens and ship that lens to your devices.
r
Ryan
11/05/2021, 4:03 PMAh that’s a nice one to know too, though these are Linux machines, not Mac.
f
fritz
11/05/2021, 4:03 PMAnother multi-platform option is encode the data in a sqlite db and then create an ATC for that DB file
👍 1
r
Ryan
11/05/2021, 4:03 PMDo you have any examples of an Augeas lens?
f
fritz
11/05/2021, 4:04 PMThe ATC is probably the most simple option that is multi-platform
r
Ryan
11/05/2021, 4:04 PMah yeah, just reading about that now
very interesting!
thanks!
f
fritz
11/05/2021, 4:04 PMI wrote up a blog post on atcs:
https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c
r
Ryan
11/05/2021, 4:05 PMhaha yes that’s the one I was reading 😄
f
fritz
11/05/2021, 4:05 PM😜 You beat me to it!
Good luck, let me know if you have any questions.
r
Ryan
11/05/2021, 4:05 PMheheh
thanks, yeah this looks very powerful/flexible
d
defensivedepth
11/05/2021, 7:56 PMIf you are just targeting Linux, you could write out the info you need to a sysctl parameter at deployment and then query it with the https://osquery.io/schema/5.0.1/#system_controls table
To be clear, havent tried it myself but I would think it should work
s
seph
11/06/2021, 2:58 AMOr use a directory with cleverly named files as a rudimentary key/value store.
👍 1
There are some ways you can get pretty clever
➕ 2
m
Mystery Incorporated
11/08/2021, 2:10 AMEnvironment variables also work to stash and retrieve stuff but might not be great if you have a lot of stuff
r
Ryan
11/08/2021, 11:45 AMEnvironment variables? Do you have an example of that approach?
m
Mystery Incorporated
11/08/2021, 12:24 PMYup I put some values in environment variables and I have queries like:
Windows: SELECT value FROM default_environment WHERE variable LIKE "%environment_variable_name_here%" LIMIT 1Ubuntu/Centos/Darwin: SELECT value FROM process_envs WHERE key LIKE "%environment_variable_name_here%" LIMIT 1So I can set these environment variables on any device and fetch them with a query, if you control the metadata you would write it to envars instead of a file and fetch like that easy enough, but I don't know if there is size limits or what.
This allows me to tag my hosts with like a company id and such that I can query. I then put the company name in a decorator query so I know which company the host belongs to for every query it responds to.
r
Ryan
11/09/2021, 2:49 PMOk, sounds interesting!
When you talk about decorator queries, that’s the same as creating a label in Fleet interface or via Fleetctl right?
m
Mystery Incorporated
11/16/2021, 12:31 AM@Ryan nah labels in fleet return groups of hosts. A decorator query in osquery is a query that executes with every single query so for every query in my case it returns username, hostname and company name fetched from the envvar and it includes that with every single query executed
r
Ryan
11/23/2021, 3:23 PMahhh right, gotcha @Mystery Incorporated that’s very handy actually 🙂
👍 1