The schema meta-command takes an argument that helps limit the output to a partial string match. schema to list all of the tables and their schema. bail ON|OFF Stop after hitting an error default OFF You are connected to a transient 'in-memory' virtual database. Know that this 'shell' does not connect to a remote server it is completely standalone. Then, fire up osqueryi as your user or as a superuser, and try some of the concepts below. This shell is designed for ad-hoc exploration of your OS and SQL query prototyping. See Tables with arguments for more information.īefore diving into osquery's specific implementation of SQL, please familiarize yourself with the osquery development shell. NOTICE: Several tables, file for example, require a predicate for one of the columns, and will not work without it. Mutation-based verbs are allowed in extensions, if the extension supports them. SELECT only! All mutation-based verbs exist, like INSERT, UPDATE, DELETE, and ALTER, but they do nothing - unless you're fancy and creating run-time tables or VIEWs, or using an extension. This is a great starting place if coming from MySQL, PostgreSQL, or MSSQL. Please read SQL as understood by SQLite for reference. The osquery SQL language is a superset of SQLite's. Continue reading our deployment and development guides for a deep-dive into how SQL can power intrusion detection, incident response, process auditing, file integrity monitoring and more. Everything is SQL, and hopefully as expressive as possible. The world of osquery is centered around SQL: decorating, scheduling, differentials, eventing, targeting. Actions use primary keys as input and generate rows as output, and are best used when JOINing. ![]() Consider stat-ing a file, hashing a blob of data, parsing JSON, reading a SQLite database, traversing a directory, or requesting a user's list of installed browser plugins. We do not inspect event-time data in real-time, but rather buffer the events as they occur and represent that buffer as a table! Concept 'actions' can be represented too, you perform an action and generate tabular data. These are the same concepts with an 'event-like' twist. Now consider event streams: each event is a row, like a new USB device connection, or file attribute modification. When you want to inspect a concept, you SELECT the data, and the associated OS APIs are called in real-time. We can represent this type of data as a table with a single row and many columns, or a series of key/value rows. There are several informational things - like OS version, CPU features, memory details, UEFI platform vendor details - that are not tabular but rather a body of details with labeled data. ![]() Each concept becomes a SQL table, like processes, or sockets, the filesystem, a host alias, a running kernel module, etc. It may seem weird at first, but try to think of your operating system as a series of tabular concepts.
0 Comments
Leave a Reply. |