The core osquery schema incorrectly lists Windows as a supported os for
this query:https://osquery.io/schema/5.12.1/#yara_events
Adding a yaml override to reflect this in Fleet's docu
---------
Co-authored-by: Harrison John <harrisonjohn@Harrisons-MacBook-Pro.local>
Co-authored-by: Eric <eashaw@sailsjs.com>
Missing comma between u.username, u.uid causes the query to fail with
this error (Note the query is only applicable to Mac OS):
```
osquery> SELECT u.username u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
Error: near ".": syntax error
```
Output after fixing the missing , (removed part of the output):
```
osquery> SELECT u.username, u.uid, strftime('%Y-%m-%dT%H:%M:%S', a.password_last_set_time, 'unixepoch') AS password_last_set_time, a.failed_login_count, strftime('%Y-%m-%dT%H:%M:%S', a.failed_login_timestamp, 'unixepoch') AS failed_login_timestamp FROM account_policy_data AS a CROSS JOIN users AS u USING (uid) ORDER BY password_last_set_time ASC;
+--------------+------------+------------------------+--------------------+------------------------+
| username | uid | password_last_set_time | failed_login_count | failed_login_timestamp |
+--------------+------------+------------------------+--------------------+------------------------+
| nobody | 4294967294 | | | |
| root | 0 | | | |
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/15651
Changes:
- Removed `hidden: true` from the YAML override file for the iptables
table.
- Regenerated osquery_fleet_schema.json
Create registry.yml per #16993
ps. just got your message in Slack. This has a particularly gnarly query
because the registry data is gross. I have broken it on new lines at the
commands but it's all going to be a big blob in the fixed width columns
on the site & Fleet UI anyway. We'll see what it does. If you would
prefer I could "minify" these all onto 1 line no matter how long they
are?
The Example header was not showing on this page. Moved the query up to
the example block with explanation.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Updates to cpu_info data table in Fleet Table Docs per #16993
I am trying something. The arp_cache table .yml has no references to the
Column || Type || Description schema table on the page, so, I am
assuming you are doing magic to combine the other sections of the page
(Description, Examples, Notes) with the data from osquery tables.
If I needed to make explicit reference to them, I am dumb.
If I only to need to make explicit reference to them IFF I am changing
the schema table, yay.
Thanks!!!!!!!
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Please check the new scalar is working correctly. I am going to have to
do a PR on the authdb table because some of the markdown syntax is
showing on the updated page. Thanks!
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Fixed copy+paste or find+replace booboo when scalar was changed from >-
to |-
Copy operation caught up the angle brackets used around "right_name" in
this doc.
Thanks.
Closes: #19271Closes: #19286
Changes:
- Updated the example in the schema folder readme
- Updated the block scalar used in Fleet's osquery override
documentation (`>-` » `|-`) and removed extra newlines
- Updated the block scalar used in URLs used to create new yaml override
files
- Regenerated osqeury_fleet_schema.json
Need help to get the correct formatting for the notes key/val
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
Changes:
- Updated the version of osquery schema that is merged with Fleet's
overrides: (5.11.0 » 5.12.1)
- Regenerated schema/osquery_fleet_schema.json
