valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b150367967
osquery-1/specs/posix/shell_history.table
Alexander 1179915350
The default timestamp was added for shell_history without timestamp (#4618) 
If the shell history file does not contain a timestamps for the lines
osquery will miss the time in rows and will show an confusing error
about attempt to convert empty string to INTEGER.

```
% head -n 3 ~/.zsh_history
ls
cd source
ls
```

```
osquery> select * from shell_history limit 1;
I0621 11:56:37.804193 2629124992 virtual_table.cpp:292] Error casting time () to INTEGER
+------------+------+---------+-------------------------------+
| uid        | time | command | history_file                  |
+------------+------+---------+-------------------------------+
| 1868255265 |      | exit    | /home/akindyakov/.zsh_history |
+------------+------+---------+-------------------------------+
```
So, default value for the time in shell history can solve the problem.
2018-06-25 16:55:49 +01:00

19 lines
668 B
Plaintext
Raw Blame History

table_name("shell_history")
description("A line-delimited (command) table of per-user .*_history data.")
schema([
Column("uid", BIGINT, "Shell history owner", additional=True),
Column("time", INTEGER, "Entry timestamp. It could be absent, default value is 0."),
Column("command", TEXT, "Unparsed date/line/command history line"),
Column("history_file", TEXT, "Path to the .*_history for this user"),
ForeignKey(column="uid", table="users"),
])
attributes(user_data=True, no_pkey=True)
implementation("shell_history@genShellHistory")
examples([
"select * from users join shell_history using (uid)",
])
fuzz_paths([
"/home",
"/Users",
])
Reference in New Issue View Git Blame Copy Permalink