I m looking through the schema here

Question

I m looking through the schema here <https osquery io schema 4 0 2> and it doesn t appear that I am able to query when `yum update` was last run on a machine Is that a correct assumption

alessandrogario · Answer

You would have to parse the package manager log to get that information It is also possible to look for the command in the shell history table

alessandrogario · Answer

depending on how updates are performed

Zach Zeid · Answer

on rhel centos systems using `yum update` not sure that d be in shell history I am surprised that there isn t anything for that

alessandrogario · Answer

It is indeed a really useful feature but sometimes things are hard to integrate

Zach Zeid · Answer

Indeed thank you

alessandrogario · Answer

yum has to provide a library to access that information usually that library is private and subject to drastic changes at every update

alessandrogario · Answer

and osquery has to work on as many distro as possible and can t risk using a library version that only parses data specific to a distro package manager release

alessandrogario · Answer

One thing that you can do is write a Python extension that calls the yum command and parses the output

Zach Zeid · Answer

That makes sense the yum api is inscrutable at best Looking at the source code they explicitly tell you not to use the API looks like we ll have to write our own extension

alessandrogario · Answer

and then publish it and share it smile

FG · Answer

maybe schedule a diff query on the atime mtime fields of var log yum log as this gets updated when packages update