Rudder techniques

variable_dict_from_osquery

Define a variable that contains key,value pairs (a dictionary) from an osquery query.

⚙️ Compatible targets: Linux

Parameters

Outcome conditions

You need to replace ${name} with its actual canonified value.

• ✅ Ok: variable_dict_from_osquery_${name}_ok
  • ☑️ Already compliant: variable_dict_from_osquery_${name}_kept
  • 🟨 Repaired: variable_dict_from_osquery_${name}_repaired
• ❌ Error: variable_dict_from_osquery_${name}_error

Example

method: variable_dict_from_osquery
params:
  name: VALUE
  prefix: VALUE
  query: VALUE

Documentation

To use the generated variable, you must use the form ${prefix.name[key]} with each name replaced with the parameters of this method.

Be careful that using a global variable can lead to unpredictable content in case of multiple definition, which is implicitly the case when a technique has more than one instance (directive). Please note that only global variables are available within templates.

This method will define a dict variable from the output of an osquery query. The query will be executed at every agent run, and its result will be usable as a standard dict variable.

Setup

This method requires the presence of osquery on the target nodes. It won't install it automatically. Check the correct way of doing so for your OS.

Building queries

To learn about the possible queries, read the osquery schema for your osquery version.

You can test the queries before using them with the osqueryi command, see the example below.

Examples

# To get the number of cpus on the machine
variable_dict_from_osquery("prefix", "var1", "select cpu_logical_cores from system_info;");

It will produce the dict from the output of:

osqueryi --json "select cpu_logical_cores from system_info;"

Hence something like:

[
 {"cpu_logical_cores":"8"}
]

To access this value, use the ${prefix.var1[0][cpu_logical_cores]} syntax.