Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
h
Hugh (Zercurity)
05/13/2020, 1:10 PMOn 4.3.0 there is the new
screenlockt
terracatta
05/13/2020, 1:20 PMFYI this table only works when osquery is run from a user context (you can still run it as root, but not via
launchctl asuser 0sadly, there is no way around this because of how the underlying API works
h
Hugh (Zercurity)
05/13/2020, 1:21 PMgood to know, thanks 👍
t
terracatta
05/13/2020, 1:23 PMthe other thing to note is even if you run osquery with the right user id context, that user must be currently logged in otherwise the query still won't work
😢 1
a
Artem
05/13/2020, 2:41 PM@terracatta so, will this table work via next version of kolide fleet using osquery with root priveleges on endpoints?
Thank you for previous answer!
s
seph
05/13/2020, 3:05 PMI suspect the data is stored in a keychain, or similar protected context. So unless the user is logged in, the data is inaccessible. (At least, that’s how the undocumented APIs seem)
a
Artem
05/14/2020, 11:43 AMGot it! Thanks!