Channels
#general
Title
# general
j
James Espinosa
04/21/2020, 10:33 PM Copy code
+--------------+-------------------------+
| header | rule_details |
+--------------+-------------------------+
| %group1 | ALL=(ALL) NOPASSWD: ALL |
| %group2 | ALL=(ALL) NOPASSWD: ALL |
| user1 | ALL=(ALL) NOPASSWD: ALL |
| user2 | ALL=(ALL) NOPASSWD: ALL |
osquery> SELECT * FROM sudoers WHERE header LIKE '\%%';
(produces 0 results)s
sundsta
04/21/2020, 10:35 PMFrom the SQLite docs (https://sqlite.org/lang_expr.html):
The escape character followed by a percent symbol (%), underscore (_), or a second instance of the escape character itself matches a literal percent symbol, underscore, or a single escape character, respectively.z
zwass
04/21/2020, 10:36 PM
Copy code
osquery> select '%foobar' like '\%%' escape '\';
+---------------------------------+
| '%foobar' like '\%%' escape '\' |
+---------------------------------+
| 1 |
+---------------------------------+
osquery> select 'foobar' like '\%%' escape '\';
+--------------------------------+
| 'foobar' like '\%%' escape '\' |
+--------------------------------+
| 0 |
+--------------------------------+j
James Espinosa
04/21/2020, 10:40 PMah, thank you both so much for the quick reply. ESCAPE '\' worked for me. I was assuming "\%" would escape 🤦 thank you
3 Views