Hello everyone, just out of curiosity, is it somehow possible to change the content of osquery tables? For example, if you type

UPDATE system_info SET hostname = 'test';

you get the error message "Error: table system_info may not be modified".

Hey @Adrian Junge not really, tables are read only but also, data in them does not exist until you query them. We have writable tables through extensions if I recall correct, but even there the information written is not stored in any database, it's to control something on the other side (for instance you can have a table that abstracts the firewall configuration).

Sorta… osquery is best thought of an api translation layer. So you cannot really modify tables. But you can overwrite them with a create table. I use this occasionally in testing.