2

I was curious about some of the available tables I can see when I run osqueryi.exe.

I have these tables.

osquery> .tables
  => appcompat_shims
  => arp_cache
  => authenticode
  => autoexec
  => bitlocker_info
  => carbon_black_info
  => carves
  => certificates
  => chocolatey_packages

...

Then I was wondering about some of them for example I looked up the source for the processes table here.

enter image description here

There is a bunch of descriptions in there that the schema command doesn't show... the question is ... is there a way to review the meta data that seems to be in the source code?

osquery> .schema processes
CREATE TABLE processes(`pid` BIGINT,
 `name` TEXT,
 `path` TEXT,
 `cmdline` TEXT,
 `state` TEXT,
 `cwd` TEXT,
 `root` TEXT,
 `uid` BIGINT,
 `gid` BIGINT,
 `euid` BIGINT,
 `egid` BIGINT,
 `suid` BIGINT,
 `sgid` BIGINT,
 `on_disk` INTEGER,
 `wired_size` BIGINT,
 `resident_size` BIGINT,
 `total_size` BIGINT,
 `user_time` BIGINT,
 `system_time` BIGINT,
 `disk_bytes_read` BIGINT,
 `disk_bytes_written` BIGINT,
 `start_time` BIGINT,
 `parent` BIGINT,
 `pgroup` BIGINT,
 `threads` INTEGER,
 `nice` INTEGER,
 `is_elevated_token` INTEGER,
 `elapsed_time` BIGINT,
 `handle_count` BIGINT,
 `percent_processor_time` BIGINT,
 `upid` BIGINT HIDDEN,
 `uppid` BIGINT HIDDEN,
 `cpu_type` INTEGER HIDDEN,
 `cpu_subtype` INTEGER HIDDEN,
 `phys_footprint` BIGINT HIDDEN,
 PRIMARY KEY (`pid`)) WITHOUT ROWID;
John Drinane
  • 1,279
  • 2
  • 14
  • 25

1 Answers1

0

I'm not wholly sure what you're asking. I believe sqlite should show you whatever is in the spec files. (Though the hidden columns are, well, hidden)

You can also look at the table docs online -- https://osquery.io/schema

seph
  • 813
  • 6
  • 16
  • I added the descriptions I was seeing in the source ... maybe these are hidden... if not curious how to see them while querying around ... they seem pretty useful – John Drinane Aug 23 '19 at 16:51
  • By added ... I mean I added a screenshot above^ – John Drinane Aug 23 '19 at 16:52
  • 1
    Ah. You're asking if you can display the descriptions inside osquery? I don't think so? But it's a really interesting question. I'll see if I can find a way to do that upstream. Meanwhile, I think the generated website schema is the best answer. – seph Sep 06 '19 at 15:19
  • 1
    I did some digging. Right now, I don't see a way to easily get the column descriptions into the schemas. And I don't see any way to access them from within osquery (or sqlite). I like the idea, but it looks like implementing it requires some larger refactoring. I'm happy to chat about that if you're interesting in working on osquery. – seph Sep 11 '19 at 14:15