I want to launch an osquery with no native tables registered

Question

I want to launch an osquery with no native tables registered Is there a way to do this or prior art

zwass · Answer

< groob> did this at some point

Jams · Answer

Does ` disable tables VALUE Comma delimited list of table names to be disabled` achieve this

seph · Answer

Empirically not The table is still registered For an extension to register it I need to stop it earlier

groob · Answer

there s a build flag for this

groob · Answer

i hope you re not doing this as a hack to generate schemas because there s a better way

groob · Answer

which was the initial reason I looked into it

groob · Answer

it was called `SKIP TABLES=true`

groob · Answer

not sure if it s still there

seph · Answer

Not schemas I remember there s something else for that

seph · Answer

Did SKIP TABLES merge anywhere I can find it

groob · Answer

yeah for schemas there s a nice thrift api that gives you the columns for any query

groob · Answer

my worry is that it got deleted <https github com osquery osquery issues 4308>

seph · Answer

Looks like maybe <https github com osquery osquery pull 2335>

groob · Answer

that s old

seph · Answer

Yes yes it is

groob · Answer

github needs codesearch offtopic

groob · Answer

I wonder if commenting this line out is enough to achieve the same <https github com osquery osquery blob master osquery CMakeLists txt L18>

groob · Answer

the old file had this ```if NOT SKIP TABLES add subdirectory tables ```

groob · Answer

Stefano Bonicatti · Answer

Not really because there are possibly references to the targets created by that subfolder One would either have to conditionally link to them or create an INTERFACE target which does nothing so the other referencing it are happy and do not try to link something that doesn t exists This still doesn t guarantee it compiles though there might be code referencing those tables

seph · Answer

Poking around AFAICT the existing disable table mechanism ends up preventing the xConnect and xCreate from ever triggering `virtual table cpp 1057` has a check against it If the table is disabled then it s not loaded But it s already loaded in the registry and sqlite has a basic schema Clearly I m missing something

seph · Answer

Ah The REGISTER call is in the codegen but the plumbing them happens virtual table cpp Which makes me wonder why the blacklist is only in virtual table

seph · Answer

Poking around it s somewhat hard to move it codegen adds a REGISTER macro which expands into a AutoRegisterInterface autoloadPlugin call in registry interface cpp I can hardcode skipping tables from being registered there but it looks like the flags and blacklist aren t parsed yet

seph · Answer

So it s hard to do something based on those I m not yet sure if this is an easy fix or not

seph · Answer

Making a compile time mechanism is obviously easy