https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
m

Mystery Incorporated

06/25/2021, 4:13 AM
Hello, if I set some environment variables in the OS, can I retrieve them using OSQuery? Or alternatively is there some other method where I can retrieve a constant value that I set per device? I was setting a decorator query in each .conf file previously to do this, but since moving to fleet, having the shared conf means I can't do that now, so I guess setting an Environment variable on heach machine and querying it will be best way?
s

seph

06/25/2021, 12:34 PM
Maybe, depends a lot on the details and operating system.
Environment variables run in an environment. Which is associated with a process, not some hypothetical thing. So to read them from osquery you either need them in osquery’s environment, or you need to pick a specific process to read them from. This is generally awkward.
If you want to pick up some bit of information from a host, I’d look at using something like the plist table on macos, and the registry on windows. I’d have to skim the tables to see what might work from linux. But there are likely others.
Find something like that
t

theopolis

06/25/2021, 3:28 PM
Perhaps https://osquery.io/schema/4.9.0/#process_envs is what you are looking for.
m

Mystery Incorporated

06/26/2021, 10:02 AM
But we can set environment variables in the bash profile or in windows we can set os wide (global) environment variables I think they are not all process bound right?
s

seph

06/26/2021, 11:51 AM
“sometimes” There’s not a simple answer to that one. It depends a lot on how startup is sequenced.
As said, 
This is generally awkward
m

Mystery Incorporated

06/27/2021, 5:22 AM
In Windows there are Machine, User or Process scoped environment variables. I can't speak for other OS I don't know, but it would be nice to fetch all environment variables if possible.
@theopolis also 
4.9.0	no such table: process_envs
when try to use that table you supplied. osquery says it doesn't exist
Oh not for windows, I see the apple and penguin now lol.
So we really have no mechanisim to see environment variables on windows at all?
@theopolis @seph by a stroke of luck, I found https://osquery.io/schema/4.9.0/#default_environment Which lists to me the machine environment variables in Windows, Happy dance.
15 Views
Powered by