Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
06/25/2021, 4:13 AMHello, if I set some environment variables in the OS, can I retrieve them using OSQuery? Or alternatively is there some other method where I can retrieve a constant value that I set per device? I was setting a decorator query in each .conf file previously to do this, but since moving to fleet, having the shared conf means I can't do that now, so I guess setting an Environment variable on heach machine and querying it will be best way?
s
seph
06/25/2021, 12:34 PMMaybe, depends a lot on the details and operating system.
Environment variables run in an environment. Which is associated with a process, not some hypothetical thing. So to read them from osquery you either need them in osquery’s environment, or you need to pick a specific process to read them from. This is generally awkward.
If you want to pick up some bit of information from a host, I’d look at using something like the plist table on macos, and the registry on windows. I’d have to skim the tables to see what might work from linux. But there are likely others.
Find something like that
t
theopolis
06/25/2021, 3:28 PMPerhaps https://osquery.io/schema/4.9.0/#process_envs is what you are looking for.
m
Mystery Incorporated
06/26/2021, 10:02 AMBut we can set environment variables in the bash profile or in windows we can set os wide (global) environment variables I think they are not all process bound right?
s
seph
06/26/2021, 11:51 AM“sometimes” There’s not a simple answer to that one. It depends a lot on how startup is sequenced.
As said,
This is generally awkwardm
In Windows there are Machine, User or Process scoped environment variables. I can't speak for other OS I don't know, but it would be nice to fetch all environment variables if possible.
@theopolis also
4.9.0 no such table: process_envsOh not for windows, I see the apple and penguin now lol.
So we really have no mechanisim to see environment variables on windows at all?
@theopolis @seph by a stroke of luck, I found https://osquery.io/schema/4.9.0/#default_environment
Which lists to me the machine environment variables in Windows, Happy dance.