![]() SELECT name, version, source FROM deb_packages SELECT name, release, sha1 FROM rpm_packages Īnd for Debian. At the moment both RPM and DEB based package managers are supported. Linux packages The query used to find Linux packages depends on the package manager being used. SELECT name, install_location FROM programs WHERE install_location NOT LIKE 'C:\Program Files%' Or even find programs installed in non-standard Windows locations. SELECT name, version, identifying_number FROM programs When pooling these results the identifying_number will help identify unique versions of installed programs. Windows Programs Installed windows programs can be queried using the following query. Showing application information for Mac OS X Setting up the process_events table does require some additional command flags which we covered in the fore-mentioned blog post. The process_events table is helpful to capture every process that’s been spawned as the processes table is only a snapshot in time. One thing to note with this query is that if the parent process has exited, you won’t be able to iterate through the process tree. The process table also includes a column called on_disk which might help identify suspicious processes spawned from memory. You can use query recursion to iterate through parent processes to identify a given processes execution path. WITH RECURSIVE rc(pid, parent, name) AS ( SELECT pid, parent, name FROM processes WHERE pid = 55334 UNION ALL SELECT p.pid, p.parent, p.name FROM processes AS p, rc WHERE p.pid = rc.parent AND p.pid != 0 ) SELECT pid, parent, name FROM rc LIMIT 20 However, I want to cover a few neat tricks taking advantage of the SQLite engine used by OSquery. We published a previous post on this which covers collecting process information from the processes table and the corresponding application hashes as well as event information from process_events table. SELECT name, version, build, platform FROM os_version Processes and process events This is useful for identifying systems that may not be running the latest OS release. The os_version table provides operating system information and the current patch level. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, physical_memory, hardware_vendor, hardware_model FROM system_info A serial number in the case of Apple or Dell service tag. The hardware_serial column will also provide the manufactures hardware identifier. The system_info table also provides the system UUID to help uniquely identify the asset within your IT estate. The system_info table will provide basic system information around the CPU and available memory. ![]() The following system queries will run across all platforms. Osquery provides access to several tables relating to various aspects of system information. The rocksdb table holding the device identifier is not compressed with Snappy, hence the identifier could be recovered before trashing the DB.Information captured from systems using Osquery System information I'm wondering whether we could just enable WITH_SNAPPY and link to the arch provided library - although I know you want the package to be more based on the default osquery setting.Īnother idea would be submitting a patch for the scenario to osquery. To get it fixed we'd need to add Snappy to the osquery deps. ![]() My suspicion is that previously with linked libraries we were using rocksdb 6.23 with enabled Snappy support (see ) and now we're back at 6.14 that does not contain Snappy. I can also create a separate ticket for this, if you've an idea whether it's an upstream or packaging issue. With this a new DB is created and yields new host identifiers => duplicated hosts in fleet. Okt 01 09:11:32 xps13 osqueryd: I1001 09:11:32.587396 40300 rocksdb.cpp:165] Cannot compact column family queries: Corruption: Unsupported compression method or corrupted compressed block contents: SnappyĪfter the next restart I get the following: Okt 01 09:11:32 xps13 osqueryd: I1001 09:11:32.587299 40300 rocksdb.cpp:67] RocksDB: Compaction error: Corruption: Unsupported compression method or corrupted compressed block contents: Snappy I get another error now where I am unsure whether it's coming from the switch to 5.0, from removing some patches or just corruption of the DB on my side:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |