Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
James Espinosa
04/21/2020, 10:33 PM+--------------+-------------------------+
| header | rule_details |
+--------------+-------------------------+
| %group1 | ALL=(ALL) NOPASSWD: ALL |
| %group2 | ALL=(ALL) NOPASSWD: ALL |
| user1 | ALL=(ALL) NOPASSWD: ALL |
| user2 | ALL=(ALL) NOPASSWD: ALL |
osquery> SELECT * FROM sudoers WHERE header LIKE '\%%';
(produces 0 results)s
sundsta
04/21/2020, 10:35 PMFrom the SQLite docs (https://sqlite.org/lang_expr.html):
The escape character followed by a percent symbol (%), underscore (_), or a second instance of the escape character itself matches a literal percent symbol, underscore, or a single escape character, respectively.z
zwass
04/21/2020, 10:36 PMosquery> select '%foobar' like '\%%' escape '\';
+---------------------------------+
| '%foobar' like '\%%' escape '\' |
+---------------------------------+
| 1 |
+---------------------------------+
osquery> select 'foobar' like '\%%' escape '\';
+--------------------------------+
| 'foobar' like '\%%' escape '\' |
+--------------------------------+
| 0 |
+--------------------------------+j
James Espinosa
04/21/2020, 10:40 PMah, thank you both so much for the quick reply. ESCAPE '\' worked for me. I was assuming "\%" would escape 🤦 thank you