is it possible to read the content of the

Question

< CBLGAN1HD|linux> is it possible to read the content of the file using osquery in linux

Mike Myers · Answer

Check out <https www metalliccode com carving>

seph · Answer

Generally speaking osquery does not ship tables that just return file contents You can use file carving as Mike linked above Augeaus may provide some options here as well

MaxosxOsquery · Answer

select from carves where path like tmp sample and carve=1 W0204 07 16 10 200300 14738 virtual table cpp 959 The carves table returns data based on the current user by default consider JOINing against the users table W0204 07 16 10 200381 14738 virtual table cpp 974 Please see the table documentation <https osquery io schema carves>

MaxosxOsquery · Answer

`select from carves where path like tmp sample and carve=1 ` `W0204 07 16 10 200300 14738 virtual table cpp 959 The carves table returns data based on the current user by default consider JOINing against the users table` `W0204 07 16 10 200381 14738 virtual table cpp 974 Please see the table documentation <https osquery io schema carves>`

MaxosxOsquery · Answer

how to join with the users table thr is no matching column

Jams · Answer

Take a look at <https defensivedepth com 2019 02 21 osquery join with users table not returning results >