Hi Community,
I have a kolide server and a single osquery host. (both on separate machines).
Osqueryd is run with root on the host.
host has many other users("user1", "user2"} which perform some actions on the machine.
osquery provides a decorator to "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
but this one only shows root users in the osquery_result
I would like to know whether its possible to create a decorator where each query is listed with the respective user who performed the action.
for eg: if
"user1" executes "nmap
google.com" and
"user2" executes "nmap
facebook.com"
osquery should produce a result with respective user labelled.
expected result:
{"cmdline:/usr/bin/nmap", "user":user1}
{"cmdline:/usr/bin/nmap", "user":user2}
I know that some tables like "process_events" have uid to show this parameter.
But I am looking for some other generic solution.
Any help is appreciated. Thanks in advance.