Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
n
nyanshak
08/10/2020, 10:40 PMI have a question about supporting decorators cross-platform <thread>
I want to pull a value from environment variables, and use it as a decorator.
However, Linux / macOS use
process_envsdefault_environmentI tried to do something like:
SELECT COALESCE(
(SELECT value from process_envs where key = 'OSQUERY_ENV'),
(SELECT variable from default_environment where key = 'OSQUERY_ENV'),
null
) AS env where env != '';However, perhaps predictably this failed because macOS / Linux can't run query against
default_environmentprocess_envsSo I'm wondering if it's safe / sane to do this instead:
{
"decorators": {
"load": [
"SELECT value as env from process_envs where key = 'OSQUERY_ENV';",
"SELECT variable as env from default_environment where key = 'OSQUERY_ENV';"
]
}
}Or if there's a better way to do what I'm trying to do 😐