mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
f10e33d387
* add deploy category, change product to guides * update links to deployment guides * Update deploy-fleet-on-hetzner-cloud.md * Update enrolling-a-digital-ocean-droplet-on-a-fleet-instance.md * Update how-to-install-osquery-and-enroll-linux-devices-into-fleet.md * Update delivering-data-to-snowflake-from-fleet-and-osquery.md * Update how-to-install-osquery-and-enroll-windows-devices-into-fleet.md * Update how-to-install-osquery-and-enroll-macos-devices-into-fleet.md * Update deploying-fleet-on-aws-with-terraform.md * Update deploying-fleet-on-render.md * Update how-to-uninstall-osquery.md * Update osquery-a-tool-to-easily-ask-questions-about-operating-systems.md * Update get-and-stay-compliant-across-your-devices-with-fleet.md * Update work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update converting-unix-timestamps-with-osquery.md * Update correlate-network-connections-with-community-id-in-osquery.md * Update using-elasticsearch-and-kibana-to-visualize-osquery-performance.md * Update fleet-quick-tips-querying-procdump-eula-has-been-accepted.md * Update locate-assets-with-osquery.md * Update osquery-consider-joining-against-the-users-table.md * Update import-and-export-queries-and-packs-in-fleet.md * Update ebpf-the-future-of-osquery-on-linux.md * Update generate-process-trees-with-osquery.md * Update get-and-stay-compliant-across-your-devices-with-fleet.md * Update work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update ebpf-the-future-of-osquery-on-linux.md * Change category meta value back to guides Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com> * change article category * update latest article category * add redirects for articles not handled by cloudflare rules * Update to main nav I did a little more housekeeping on the main nav for when we do the switch on these categories. - Added link to /deploy under Guides on the Documentation dropdown. - Added link to /guides under Guides on the Documentation dropdown - Removed the now redundant "See all" from under Guides on the Documentation dropdown - Removed the now redundant "See all" from under Articles on the Community dropdown (There's no need to point users to All categories any more, since all the category land are now linked to independently from the main nav. * Update article category name Co-authored-by: Desmi-Dizney <99777687+Desmi-Dizney@users.noreply.github.com> Co-authored-by: Mike Thomas <mthomas@fleetdm.com>
69 lines
3.2 KiB
Markdown
69 lines
3.2 KiB
Markdown
# Osquery: Consider joining against the users table
|
||
|
||
## Proper use of JOIN to return osquery data for users
|
||
|
||
|
||
|
||
Many an osquery user has encountered a situation like the following:
|
||
|
||
```
|
||
$ osqueryi
|
||
Using a virtual database. Need help, type '.help'
|
||
osquery> SELECT uid, name FROM chrome_extensions LIMIT 3;
|
||
+-----+--------------------------------------------+
|
||
| uid | name |
|
||
+-----+--------------------------------------------+
|
||
| 501 | Slides |
|
||
| 501 | Docs |
|
||
| 501 | 1Password extension (desktop app required) |
|
||
+-----+--------------------------------------------+
|
||
osquery>
|
||
|
||
$ sudo osqueryi
|
||
Using a virtual database. Need help, type '.help'
|
||
osquery> SELECT uid, name FROM chrome_extensions LIMIT 3;
|
||
W0519 09:35:27.624747 415233472 virtual_table.cpp:959] The chrome_extensions table returns data based on the current user by default, consider JOINing against the users table
|
||
W0519 09:35:27.625207 415233472 virtual_table.cpp:974] Please see the table documentation: https://osquery.io/schema/#chrome_extensions
|
||
```
|
||
|
||
Our query runs as expected when `osqueryi` is run as a normal user, but returns a warning message and no results when run as root via `sudo osqueryi`.
|
||
|
||
This same issue manifests on many tables that include a `uid` column:
|
||
|
||
- `atom_packages`
|
||
- `authorized_keys`
|
||
- `chrome_extension_content_scripts`
|
||
- `chrome_extensions`
|
||
- `crashes`
|
||
- `docker_container_processes`
|
||
- `firefox_addons`
|
||
- `known_hosts`
|
||
- `opera_extensions`
|
||
- `safari_extensions`
|
||
- `shell_history`
|
||
- `user_ssh_keys`
|
||
|
||
### What’s going on here?
|
||
|
||
As stated in the error message, these tables return “data based on the current user by default”. When run as a normal user, the implementations know to look in paths relative to the user’s home directories. A query running as root does not know which directories to check.
|
||
|
||
### The solution
|
||
|
||
Show osquery which users to retrieve the data for. Typically this is achieved by a `JOIN` against the `users` table to retrieve data for every user on the system:
|
||
|
||
```
|
||
SELECT uid, name
|
||
FROM users CROSS JOIN chrome_extensions USING (uid)
|
||
```
|
||
|
||
Writing the query with this `JOIN` ensures that osquery first generates the list of users, and then provides the user `uid`s to the `chrome_extensions` table when generating that data.
|
||
|
||
Note: It is important to use `CROSS JOIN` as this tells the query optimizer not to reorder the evaluation of the tables. If we use a regular `JOIN` it is possible that reordering could result in the original error being encountered (because the `chrome_extensions` table generates with no `uid` in its context).
|
||
|
||
<meta name="category" value="guides">
|
||
<meta name="authorGitHubUsername" value="zwass">
|
||
<meta name="authorFullName" value="Zach Wasserman">
|
||
<meta name="publishedOn" value="2021-05-06">
|
||
<meta name="articleTitle" value="Osquery: Consider joining against the users table">
|
||
<meta name="articleImageUrl" value="../website/assets/images/articles/osquery-consider-joining-against-the-users-table-cover-700x437@2x.jpeg">
|