Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Seth Hanford
08/19/2021, 5:06 PMIs there current guidance about the constraints on results that we should expect from recursive searches against the ‘file’ table? I am experiencing strange results when trying to recursively look for files on MacOS (noticed on Mac 11.5.2, osquery 4.9.0):
When I run find on the system, I get this (partial results):
# find / -name java -type f 2>/dev/null -exec ls -lisah {} \;
... /usr/bin/java
... /usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /usr/share/file/magic/java
... /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java
... /System/Volumes/Data/usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /System/Volumes/Data/Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/javaSELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/%%'
filename: java
path: /usr/bin/javaSELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/share/%%'
filename: java
path: /usr/share/file/magic/javaSELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/local/Cellar/%%'
0 results (should be at least 2)Working backwards on an example path, I can find java for ‘/System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java’, I can repeatedly remove directories from the end (first java, then bin, then Home, etc.) until when I do the following I end up with 2 results. So far, so good:
SELECT filename,path FROM file where filename='java' and path like '/System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/%%'
2 results:
filename: java
path: /System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/bin/java
filename: java
path: /System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/javaAny thoughts on this? Are there specific tricks / techniques that I should be using to ensure I can traverse deep directory trees?