Channels
#general
Title
j
Jesse Lepich
01/07/2020, 9:14 PMHowdy folks, I'm new to osquery and wondering what might be the fastest/easiest way to query for cmdline, path, and parent_path. I'm currently using:
process_events": {
"query": "SELECT * FROM process_events;",
But this doesn't give me parent_path. Thanks for any help you can provide 🙂
n
nyanshak
01/07/2020, 9:31 PMReplying as I'm interested and haven't seen a great / consistent way to do this with process_events.
You can try adding info from a subquery of process_events,
WHERE pid=p.parents
seph
01/07/2020, 9:38 PM
Can you join against itself?
n
nyanshak
01/07/2020, 9:46 PMwell, you have the pid but not parent cmdline and you can do a hacky and not altogether reliable workaround to get parent_cmdline
example:
Copy code
SELECT
pe.path,
pe.cmdline,
pe.cwd,
pe.gid,
pe.egid,
pe.uid,
pe.euid,
pe.pid,
pe.parent,
pe.time,
(select coalesce((SELECT cmdline FROM process_events AS parent_cmdline0 WHERE pid=pe.parent), (SELECT cmdline FROM processes AS parent_cmdline1 WHERE pid=pe.parent))) AS parent_cmdline
FROM
process_events AS pe;s
seph
01/07/2020, 9:48 PM
I think you can do it with a join, though I don't know if it would be more performant. Not sure if I'll have the time to work through the sql
Copy code
with raw as (select
pid,
parent,
path
from processes)
select
p.pid,
p.parent,
p.path as cpath,
pp.path as ppath
from raw as p
left join raw as pp ON p.parent = pp.pid
;This probably won’t work as well from events, since there may be weird windowing in events. I think it’s probably a bunch weirder. Not really sure.
3 Views