Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Sean Bowles
07/10/2020, 8:10 PMHi, I'm new to osquery. Can you change configuration via osquery? I see some hints that it's possible from Slack here, but the official docs seem to say you can't (https://osquery.readthedocs.io/en/stable/introduction/sql/#sql-as-understood-by-osquery). Thanks!
m
Mike Myers
07/10/2020, 8:44 PMYes but only with osquery extensions. In an extension, a table can/could be implemented that changes the host configuration.
t
theopolis
07/10/2020, 10:51 PMWelcome!
What do you mean by “change configuration”? Can you describe at a high level what you are looking to accomplish?
s
Sean Bowles
07/10/2020, 11:24 PMMike may have answered it. Consider something like the hosts file (https://osquery.io/schema/4.4.0/#etc_hosts) Can I "INSERT INTO etc_hosts "myhostname" "10.0.0.1"" and update the system's hosts file? (ignoring invalid SQL syntax)
t
theopolis
07/10/2020, 11:48 PMGot it, yeap! There should be some example extensions that do INSERTs. @Mike Myers know of any we can link Sean to?
m
Mike Myers
07/15/2020, 3:51 PMHey, I just got back from PTO. Yes, we have the code at https://github.com/trailofbits/osquery-extensions/tree/master/fwctl that demonstrates a table that implements an
INSERTDELETE