i’d appreciate 👀 on https://github.com/osquery/osquery/pull/5371; it’s been through a few review passes over the last few months but could use some official acceptance review 🙂

This is impressive. Lots of code here. My personal preference is to put functionality into it's own library (could be header-only), with dedicated unit tests. Then the osquery changes are mainly glue that maps virtual tables to external library functionality (event publishers and subscribers). The plus being that it's easier to test standalone, and easier to port as osquery build structures change. Either way, nice work on this. I'll try to take a preliminary look .

Without reading the code, 💯 with @packetzero

I advocate having the code in osquery directly so it can benefit from optimizations and static/dynamic tests we apply.

Could be a library in the osquery source code. As compared to the table functions.

ah, I misunderstood, I agree