![]() If we use a regular JOIN it is possible that reordering could result in the original error being encountered (because the chrome_extensions table generates with no uid in its context). Note: It is important to use CROSS JOIN as this tells the query optimizer not to reorder the evaluation of the tables. Osquery can get be used to retrieve device data using SQL commands.tables. Writing the query with this JOIN ensures that osquery first generates the list of users, and then provides the user uids to the chrome_extensions table when generating that data. Typically this is achieved by a JOIN against the users table to retrieve data for every user on the system: SELECT uid, nameįROM users CROSS JOIN chrome_extensions USING (uid) orbitalenvironment : This feature returns a list of system environment. Show osquery which users to retrieve the data for. However, Orbital has added several of its own custom osquery tables and features. A query running as root does not know which directories to check. When run as a normal user, the implementations know to look in paths relative to the user’s home directories. ![]() This same issue manifests on many tables that include a uid column:Īs stated in the error message, these tables return “data based on the current user by default”. ![]() Our query runs as expected when osqueryi is run as a normal user, but returns a warning message and no results when run as root via sudo osqueryi. W0519 09:35:27.624747 415233472 virtual_table.cpp:959] The chrome_extensions table returns data based on the current user by default, consider JOINing against the users table | 501 | 1Password extension (desktop app required) | Osquery> SELECT uid, name FROM chrome_extensions LIMIT 3 Many an osquery user has encountered a situation like the following: $ osqueryi Osquery: Consider joining against the users table Proper use of JOIN to return osquery data for users
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |