Title
#general
James Espinosa

James Espinosa

04/21/2020, 10:33 PM
+--------------+-------------------------+
| header       | rule_details            |
+--------------+-------------------------+
| %group1      | ALL=(ALL) NOPASSWD: ALL |
| %group2      | ALL=(ALL) NOPASSWD: ALL |
| user1        | ALL=(ALL) NOPASSWD: ALL |
| user2        | ALL=(ALL) NOPASSWD: ALL |

osquery> SELECT * FROM sudoers WHERE header LIKE '\%%';

(produces 0 results)
sundsta

sundsta

04/21/2020, 10:35 PM
From the SQLite docs (https://sqlite.org/lang_expr.html):
The escape character followed by a percent symbol (%), underscore (_), or a second instance of the escape character itself matches a literal percent symbol, underscore, or a single escape character, respectively.
so that should be working
zwass

zwass

04/21/2020, 10:36 PM
osquery> select '%foobar' like '\%%' escape '\';
+---------------------------------+
| '%foobar' like '\%%' escape '\' |
+---------------------------------+
| 1                               |
+---------------------------------+
osquery> select 'foobar' like '\%%' escape '\';
+--------------------------------+
| 'foobar' like '\%%' escape '\' |
+--------------------------------+
| 0                              |
+--------------------------------+
James Espinosa

James Espinosa

04/21/2020, 10:40 PM
ah, thank you both so much for the quick reply. ESCAPE '' worked for me. I was assuming "%" would escape 🤦 thank you