launcher
launcher copied to clipboard
Published
20 hours ago •
kolide
kolide
data flatten table should handle binary data passed as raw_data
using an ATC config such as this
{
"auto_table_construction": {
"kolide_apple_accounts_db": {
"query": "SELECT ZUSERNAME AS username, ZACCOUNTDESCRIPTION AS account_description, ZACCOUNTTYPEDESCRIPTION AS account_type_description, ZACCOUNT.ZOWNINGBUNDLEID AS owning_bundleid, ZACCOUNT.ZDATACLASSPROPERTIES AS dataclass_properties FROM ZACCOUNT LEFT JOIN ZACCOUNTTYPE ON ZACCOUNT.ZACCOUNTTYPE = ZACCOUNTTYPE.Z_PK",
"path": "/Users/%/Library/Accounts/Accounts4.sqlite",
"columns": [
"username",
"dataclass_properties",
"account_description",
"account_type_description",
"owning_bundleid",
"account_type"
],
"platform": "darwin"
}
}
}
will result in an error for a query such as
select * from kolide_plist where raw_data = (select dataclass_properties from kolide_apple_accounts_db);
because the dataclass_properties column is binary data
one possible solution is to adjust the ATC config to pass the binary column as hex like:
{
"auto_table_construction": {
"kolide_apple_accounts_db": {
"query": "SELECT ZUSERNAME AS username, ZACCOUNTDESCRIPTION AS account_description, ZACCOUNTTYPEDESCRIPTION AS account_type_description, ZACCOUNT.ZOWNINGBUNDLEID AS owning_bundleid, hex(ZACCOUNT.ZDATACLASSPROPERTIES) AS dataclass_properties FROM ZACCOUNT LEFT JOIN ZACCOUNTTYPE ON ZACCOUNT.ZACCOUNTTYPE = ZACCOUNTTYPE.Z_PK",
"path": "/Users/%/Library/Accounts/Accounts4.sqlite",
"columns": [
"username",
"dataclass_properties",
"account_description",
"account_type_description",
"owning_bundleid",
"account_type"
],
"platform": "darwin"
}
}
}
and then decode the hex with inside launcher before parsing the plist
