I'm looking through the schema here (<https://osqu...
# generalz
Zach Zeid
10/22/2019, 2:50 PMI'm looking through the schema here (https://osquery.io/schema/4.0.2) and it doesn't appear that I am able to query when
yum updatea
alessandrogario
10/22/2019, 3:18 PM
You would have to parse the package manager log to get that information.
It is also possible to look for the command in the shell history table
alessandrogario
10/22/2019, 3:19 PM
(depending on how updates are performed)
z
Zach Zeid
10/22/2019, 3:21 PMon rhel/centos systems using
yum-updatea
alessandrogario
10/22/2019, 3:22 PM
It is indeed a really useful feature, but sometimes things are hard to integrate
z
Zach Zeid
10/22/2019, 3:23 PMIndeed, thank you!
a
alessandrogario
10/22/2019, 3:23 PM
yum has to provide a library to access that information (usually, that library is private and subject to drastic changes at every update)
alessandrogario
10/22/2019, 3:24 PM
and osquery has to work on as many distro as possible (and can’t risk using a library version that only parses data specific to a distro/package manager release)
alessandrogario
10/22/2019, 3:25 PM
One thing that you can do, is write a Python extension that calls the yum command and parses the output
z
Zach Zeid
10/22/2019, 3:26 PMThat makes sense, the yum api is...inscrutable at best. Looking at the source code, they explicitly tell you not to use the API.
looks like we'll have to write our own extension.
a
alessandrogario
10/22/2019, 3:27 PM
and then publish it and share it! 😄
💯 1
f
FG
10/23/2019, 3:24 AMmaybe schedule a diff query on the atime/mtime fields of /var/log/yum.log as this gets updated when packages update?
6 Views