Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a distinct carver request_id #6959

Merged
merged 4 commits into from
Feb 21, 2021
Merged

Use a distinct carver request_id #6959

merged 4 commits into from
Feb 21, 2021

Conversation

theopolis
Copy link
Member

@theopolis theopolis commented Feb 20, 2021
edited
Loading

This is half of the solution for #6727. We do not want to use the last-most-recent distributed request ID for all carve requests. Carve requests can be initiated multiple ways, through a scheduled query, distributed query, shell query, etc.

This also improve the UX of the carves table. It will report the single row requested when carve = 1 is used.

A follow up change should explore storing metadata with queries such that the virtual table can retrieve and use this data.

@theopolis theopolis requested a review from a team as a code owner February 20, 2021 17:59
@theopolis theopolis force-pushed the fix_carver_request_id branch from 515c637 to da04ebd Compare February 21, 2021 03:45
@theopolis theopolis force-pushed the fix_carver_request_id branch from da04ebd to 88d219c Compare February 21, 2021 14:44
zwass
zwass approved these changes Feb 21, 2021
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is working as expected:

{
  "host": "zachs-macbook-pro.local",
  "rows": [
    {
      "carve": "1",
      "carve_guid": "f072809b-48ea-401b-8f5a-c27584b6e5ee",
      "host_hostname": "zachs-macbook-pro.local",
      "path": "/etc/hosts",
      "request_id": "73c58a9f-a168-450f-8f57-a5c31529a248",
      "sha256": "",
      "size": "-1",
      "status": "SCHEDULED",
      "time": "1613943074"
    }
  ]
}

@theopolis theopolis merged commit 0fd3b2f into osquery:master Feb 21, 2021
@javuto javuto mentioned this pull request Nov 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zwass zwass zwass approved these changes

Assignees
No one assigned
Labels
carving
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@theopolis @zwass