If I'm doing `select * from shell_history` on a sc...
# sqlz
Zach Zeid
05/15/2020, 5:32 PMIf I'm doing
select * from shell_history.bash_historys
sundsta
05/15/2020, 5:35 PMIt would be the whole thing unless you filter on the time column
z
Zach Zeid
05/15/2020, 5:39 PMfilter?
s
sundsta
05/15/2020, 5:39 PMUse a
WHEREz
Zach Zeid
05/15/2020, 5:41 PMhow would you be able to diff time in a sql statement?
s
sundsta
05/15/2020, 5:46 PMFor example, to get the events for the past hour:
select * from shell_history where time > strftime('%s', 'now', '-1 hour');sundsta
05/15/2020, 5:46 PMSee here for SQLite’s date functions https://www.sqlite.org/lang_datefunc.html
z
Zach Zeid
05/15/2020, 5:53 PMthank you, I'll look into this
Zach Zeid
05/20/2020, 5:39 PMlooks like this is a non-starter because
timeshell_history Copy code
osquery> select * from users cross join shell_history on shell_history.uid = users.uid where time > strftime('%s', 'now', '-1 minutes');s
sundsta
05/20/2020, 5:55 PMDidn’t realize bash didn’t include a timestamp by default. Too used to zsh I guess 🙂
z
Zach Zeid
05/20/2020, 6:27 PMyeah, I turned it on in my bash shell, so it seemingly only works a little bit.
11 Views