Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Robin Powell
09/23/2021, 10:15 PMI'm trying very hard to understand https://github.com/osquery/osquery/pull/6982 and what, exactly, it breaks, and I'm having some trouble.
I think that in <5.0,
select * from augeas where path LIKE '/etc/hosts%';I can't see anything else that looks breaking-ish. Anyone have any clues to dole out? š
I am, in particular, deeply confused by this part:
ASSERT_EQ(
SQL("select * from augeas where path LIKE '/etc/hosts/%'").rows().size(),
0U);AFAICT, that should get converted to
match /files/etc/hosts/*s
seph
09/23/2021, 11:25 PMIt's always possible that I introduced a bug. I'll try to look harder sometime in the next couple days.
r
Robin Powell
09/23/2021, 11:43 PMOh hello PR author. š
I don't actually even know if our (internal) customers use LIKEs with augeas; I was just trying to understand the change for producing a report on 5.0 in general.
s
seph
09/24/2021, 1:26 AMHi!
Okay, Iām trying to remember all the things.
The old version of this table basically ran a
match /files/*/augeasWildcard handling between the two was problematic. And TBH, Iām not sure I got it right.
In augeas, wildcards are tree based.
*//*And thereās some magic in how
/The end results is, I think:
ā¢
/etc/hosts/%/etc/host%/files/etc/hosts*/etc/host%%/files/etc/hosts/*For
pathselect * from augeas where path LIKE '/etc/%';select * from augeas where path LIKE '/etc/%%';Does that help any?
r
Robin Powell
09/24/2021, 3:49 PMIt does, thank you!
Some questions still though. š
^^ Why doesn't that get converted toĀ is converted to `/files/etc/hosts/%ā./etc/hosts/%
/filles/etc/hosts/*(because the augeas return is is missing that trailing slash)^^ I didn't follow that part at alll.
I still don't feel like I have a handle on what's breaking. I understand the changes and why you made them and I think they make sense, but I can't come up with any examples of queries that work in 4.9.0 that'll break in 5.0
Oh, actually, in the PR thread there's:
This seems reasonable but we should mark it as an API change due to change with queries likeĀ; do I correctly understand that that query currrently returns stuff (which I just checked) but it won't in 5.0 because it gets converted to, where before this would full-scan and have SQL apply theĀselect * from augeas where path LIKE '/etc/hosts%';Ā filtering.LIKE
match /files/etc/hosts*If that's the only breaking example we have, that seems like it's no going to come up very much. š Which is yay.
s
seph
09/24/2021, 4:30 PM> /etc/hosts/%Ā is converted to `/files/etc/hosts/%ā.
^^ Why doesnāt that get converted toĀ /filles/etc/hosts/*?Ā Like, not āwhy did you make that decision?ā but āwhere in the code does that happen?āTypo, I mean to
/files/etc/hosts/*patternsFromOsqueryThis is a specific case of the the only breaking example I know. Namely, I introduced
%%%So if you did
path like '/etc/hosts/%/files/etc/hosts/*'path: /etc/hosts