Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
i
infomaniac
12/16/2020, 12:56 PMis there a way to retrieve all available tables via the Thrift API?
to clarify, i see there is no such API available - is there some other way with IPC to retrieve this list, or plans to include this in the Thrift API?
turns out a regular old query works 🙂
select tbl_name FROM sqlite_temp_master WHERE type = "table";and
pragma table_info("<table name>")t
theopolis
12/16/2020, 1:47 PMNice, you can also see all osquery components using the osquery_registry table. That won’t give you the schemas though.
đź‘€ 1
i
infomaniac
12/16/2020, 1:55 PMhey @theopolis - interesting!
osquery_registryquick 'n dirty:
select sql.name AS 'from sqlite', reg.name as 'from osquery registry' FROM osquery_registry reg
LEFT JOIN sqlite_temp_master sql ON reg.name = sql.name
WHERE reg.active = 1
AND internal = 0
AND registry = 'table'good news is that
pragma table_info("<table>")sqlite_temp_masterosquery_registryt
theopolis
12/16/2020, 2:25 PMVery cool, sorry you had to hack through that. We should invent a
osquery_tablesđź‘Ť 1
i
infomaniac
12/16/2020, 2:37 PMin the interim, would you like me to contribute some documentation around this?
or open an issue around your suggestion
t
theopolis
12/16/2020, 2:39 PMMaybe some documentation on the Extensions page of the readthedocs, mentioning that metadata can be accessed via the osquery_* tables and SQLite internals. Then show your examples.
The important connection we should make for folks IMO is that this information is available via queries and not a specific API
i
infomaniac
12/16/2020, 2:40 PMagreed. that's what was missing for me in my use-case
t
theopolis
12/16/2020, 2:41 PMAh I forgot, there is a more rich API for explaining a query too. That allows you to inspect type information a query.
getQueryColumns
If you had a complex query, you can use that to see what columns would be returned, how they would be named, and their types as understood by SQLite.
i
infomaniac
12/16/2020, 2:43 PMyes! i just discovered that today. i'm using Go which has unordered maps, so the columns were not being returned in a consistent order, so i'm using that
getQueryColumnst
theopolis
12/16/2020, 2:43 PMVery cool
i
infomaniac
12/16/2020, 2:43 PMjust to be clear, your mention of `osquery_*`tables above just covers
osquery_registryosquery_tables(i wish threads had threads)
scratch that, i see there are several available tables with the
osquery_https://github.com/osquery/osquery/pull/6811
to close the loop
z
zwass
12/16/2020, 4:38 PMHeads up https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c disables pragmas. We could re-enable them or just that one.
i
infomaniac
12/16/2020, 4:40 PM@zwass i'd prefer to not use it, frankly - is there perhaps another way to describe a table in SQL?
z
zwass
12/16/2020, 4:53 PMIn the sqlite shell there's
.schema tablei
infomaniac
12/16/2020, 4:54 PMi don't believe it does
.schema.tabless
seph
12/16/2020, 5:13 PM.table.schemaBaking something like that into the thrift API would be interesting. I'd love to hear about the use case driving it
i
infomaniac
12/16/2020, 5:31 PM@seph when you say they can be queried, what do you mean? outside of the CLI?
in my use-case, i need to list all the available tables and constituent columns to provide autocompletion
s
seph
12/16/2020, 5:39 PMPretty sure you can issue sql queries over the thrift api. For example, https://godoc.org/github.com/kolide/osquery-go#ExtensionManagerClient.Query and https://github.com/osquery/osquery/blob/master/osquery/extensions/thrift/osquery.thrift#L96
z
zwass
12/16/2020, 5:40 PMI think they are saying that particular "query" doesn't work. I think it might be a sqlite shell builtin.
đź‘Ť 1
i
infomaniac
12/16/2020, 5:40 PMwe're missing each other.
i'm issuing SQL queries over the API - but I can't use
.tables.schemas
seph
12/16/2020, 5:42 PMHuh. I thought it worked, but it’s been awhile since I know I’ve tried. (And my usual fleet manager now parses and doesn’t allow things that don’t look like sql)
For completion, I’ve seen implementations that use the spec files from source. But that won’t get you extensions
goquery uses
select name from osquery_registry where registry = 'table' and active = 1i
infomaniac
12/16/2020, 5:48 PM@seph indeed; the tables aspect is solved - it's just the columns i'm trying to figure out now
@zwass from my readings,
PRAGMAtable_infos
seph
12/16/2020, 5:49 PMI think it’s reasonable to allow some pragmas.
z
zwass
12/16/2020, 5:49 PMAgreed, and it wouldn't be difficult. It just won't make the 4.6.0 release which I believe was already cut.
i
infomaniac
12/16/2020, 5:51 PMfine by me - i'll add some error handling to account for the absense of
pragmas
seph
12/16/2020, 5:58 PMOkay, y’all are correct.
.schemaz
zwass
12/16/2020, 5:58 PMCan you please file this as an issue and link me? I can handle it.
i
infomaniac
12/16/2020, 5:59 PMto be clear: the
pragmas
seph
12/16/2020, 5:59 PMThe pragma whitelistings should be an issue.
The shell builtins are probably just me being confused
i
infomaniac
12/16/2020, 6:00 PMthought so, will do đź‘Ť
s
seph
12/16/2020, 6:01 PMPoking around… It looks like
sqlite_schemaah right. it’s been awhile. The osquery tables are all “eponymous virtual tables” which means they don’t show up in the
sqlite_schemađź‘Ť 1
i
infomaniac
12/16/2020, 6:12 PM@zwass https://github.com/osquery/osquery/issues/6813
:ty: 1