Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi
I'm working on writing a discovery query for a pack. My use case is to disable event based queries (in a pack) if 'auditd' is running on the system. So, discovery query should return 0 rows if any process name matching '%auditd%' is present else return 1 or more rows. Any pointers on how to achieve this ?
Thanks

<https://osquery.readthedocs.io/en/stable/deployment/configuration/#discovery-queries>

i’m not sure if you can _disable_ queries via a discovery query though, which seems to be what you are asking

you might be able to do some craziness with sql to have it return “null” if auditd is running