https://github.com/osquery/osquery logo
Powered by
#sql
Title
f

fritz

01/22/2019, 5:17 PM
Copy code
SELECT * from system_info
WHERE 
    NOT EXISTS (SELECT *
        FROM processes
        WHERE  name LIKE "%auditd%");
p

Prakhar

01/23/2019, 6:18 AM
Thanks. But I guess it should be 'processes' table instead of 'system_info' ?
f

fritz

01/23/2019, 3:15 PM
system_info
is used to return a single row of data for any device which does not have the desired process running. You could just as easily write:
Copy code
SELECT 1
WHERE
  NOT EXISTS (SELECT * FROM processes WHERE name LIKE 'auditd%');
If you instead wrote 
select * from processes
it would just return a giant list of the running processes for every device not running auditd, which doesn't sound like the goal you stated initially.
p

Prakhar

01/24/2019, 3:05 AM
Ohh thanks, didn't know that.
5 Views
Powered by