I have a kolide server and a single osquery host. (both on separate machines).
Osqueryd is run with root on the host.
host has many other users("user1", "user2"} which perform some actions on the machine.
osquery provides a decorator to "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
but this one only shows root users in the osquery_result
I would like to know whether its possible to create a decorator where each query is listed with the respective user who performed the action.
for eg: if
"user1" executes "nmap google.com" and
"user2" executes "nmap facebook.com"
osquery should produce a result with respective user labelled.
I know that some tables like "process_events" have uid to show this parameter.
But I am looking for some other generic solution.
Any help is appreciated. Thanks in advance.
10/02/2020, 3:51 PM
Decorations are not added to the table schema, they are included as metadata in the
object with the query results. See the attached photo for an example
If you want to tie processes, etc. to their user you will JOIN the processes table to the users table on the uid column