FYI this table only works when osquery is run from a user context (you can still run it as root, but not via
launchctl asuser 0
sadly, there is no way around this because of how the underlying API works
h
Hugh (Zercurity)
05/13/2020, 1:21 PM
good to know, thanks 👍
t
terracatta
05/13/2020, 1:23 PM
the other thing to note is even if you run osquery with the right user id context, that user must be currently logged in otherwise the query still won't work
😢 1
a
Artem
05/13/2020, 2:41 PM
@terracatta so, will this table work via next version of kolide fleet using osquery with root priveleges on endpoints?
Thank you for previous answer!
s
seph
05/13/2020, 3:05 PM
I suspect the data is stored in a keychain, or similar protected context. So unless the user is logged in, the data is inaccessible. (At least, that’s how the undocumented APIs seem)