Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
j
joe b
04/23/2020, 8:18 PMDoes anyone know what Osquery can do that jamf can’t do ?
f
fritz
04/23/2020, 8:46 PMQuery Windows and Linux devices
t
terracatta
04/23/2020, 8:48 PMJoe, jamf can basically get anything with extension attributes but it tends to be a giant pain.
compare
select serial_number from battery;<?xml version="1.0" encoding="UTF-8"?>
<extensionAttribute>
<displayName>Battery Serial Number</displayName>
<displayInCategory>System Information</displayInCategory>
<dataType>string</dataType>
<description>This attribute returns serial number of the battery, if installed.</description>
<scriptContentsMac>#!/bin/sh
echo "<result>$(ioreg -r -c "AppleSmartBattery" | grep "BatterySerialNumber" | awk '{print $3}' | sed s/\"//g)</result>"
</scriptContentsMac>
</extensionAttribute>You are often greping/seding/awking the output of CLI tools that change frequently. In osquery, it's usually hitting the native operating system APIs
:this: 3
j
joe b
04/23/2020, 9:15 PMOh yeah that does sound like a pain. I rather use SQL than writing my own scripts. Thanks for the info!