Anybody using the SQLite inspectors yet? Documentation?

Content Authoring
1

Is anyone using the new SQLite inspectors now available in the IEM clients? Have any examples?

According to a QnA query, properties whose (it as string as lowercase contains “sql”), and this readme of changes in the client, http://support.bigfix.com/bes/changes/fullchangelist-90.txt, SQLite inspectors are now available.

Symantec Endpoint Protection (SEP) on OS X stores its log entries in an SQLite database at /Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog.

I am looking to use IEM to read this database to find the entry for the last scan to assign it to an IEM property for reporting.

Being a noob, I am pretty sure I am doing things wrong. But I have not found any documentation other than what is reported back from QnA or examples showing how to use the SQLite inspectors.

Pretty much everything I try returns the error: The operator “sqlite database” is not defined.

Q: sqlite database of "/Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog"
E: The operator “sqlite database” is not defined.

Q: exists sqlite database of "/Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog"
E: The operator “sqlite database” is not defined.

Q: encoding of (sqlite database of “/Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog”)
E: The operator “sqlite database” is not defined.

I’ve tried accessing the live file as well as a copy, with the same results.

2

OK, the problem here was not including the word “file” in the relevance:

sqlite database of file “/Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog”

But my question about documentation still stands. Is there any documentation on using the SQLite inspectors?

1 Like
3

Seems like this is missing. I have opened a bug to get the inspector documentation updated.

In the meantime any questions I can help with?

This is an example that will give you the last 10 actions recorded on the endpoint:

( column "ActionID" of it, column "IssuerName" of it, column "ActionName" of it) of rows of statement "SELECT * from ACTION_HISTORY limit 10" of sqlite database of file "ActionHistory.db" of folder "__Global" of data folder of client
4

Thanks Alan.

I don’t know if it is missing from what is reported back from the QnA tool or if it is just something that is ‘expected’. I sort of think the latter. “/Library/Application Support/Symantec/SymUIAgent/Logs/SymAVLog” is just a string. It happens to be a string that can be used to get to a file.

“sqlite database of <file>: sqlite database” as returned by the QnA tool might be expecting that “<file>” is replaced with whatever means one can define a file.

There is a similar situation with your sample statement. I figured out that I needed to add statement into my tests get it to work. The QnA answer did not specifically list that out, butI made the connection between the file portion needing “file” to the statement portion needing “statement”.

Is there some inspector documentation available for the SQLite inspectors?

5

If you put properties whose (it as string contains "sqlite") in the fixlet debugger, you get these:

name of <sqlite column>: string
column <integer> of <sqlite row>: sqlite column
column <string> of <sqlite row>: sqlite column
type of <sqlite column>: sqlite column type
name of <sqlite column type>: string
type of <sqlite column type>: string
integer of <sqlite column type>: boolean
float of <sqlite column type>: boolean
text of <sqlite column type>: boolean
null of <sqlite column type>: boolean
blob of <sqlite column type>: boolean
column type <integer> of <sqlite table>: sqlite column type
column type <string> of <sqlite table>: sqlite column type
column types of <sqlite table>: sqlite column type
sqlite database of <file>: sqlite database
encoding of <sqlite database>: string
rows of <sqlite statement>: sqlite row
statement <string> of <sqlite database>: sqlite statement
name of <sqlite table>: string
schema of <sqlite table>: string
table <string> of <sqlite database>: sqlite table
tables of <sqlite database>: sqlite table
indices of <sqlite table>: string

Here are some examples using this inspector:

Note: the examples are windows only, but they should work cross platform except that they are pointing to the incorrect file locations for other OSes.

Related:

1 Like
6

As of 9.2 all platforms should have the inspectors enabled. Different platforms on 9.1 had enablement at different times so be aware there. Windows had this inspector at the beginning. And that was why on my example I used of of so it would work on all platforms.

1 Like
7

These inspectors would be really useful to query the /var/db/auth.db database on Mac OS X. But for some reason they don’t seem to work with the specific format or version of the auth database.

I’ve filled a RFE here - http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=58965

1 Like
8

Are you getting “file is encrypted or is not a database file” as an error?

2 Likes
9

Yes, from the RFE:

Q: rows of statement "SELECT name FROM sqlite_master WHERE type='table'" of sqlite databases of files "/var/db/auth.db"
E: The expression could not be evaluated: file is encrypted or is not a database (SQLite error 0-26)
T: 315
10

Of course they make it difficult for me to see RFE’s but I verified that the Mavericks version of sqlite is 3.7.13 and ours is a bit older so we will have to update our sqlite library probably.

2 Likes
11

And the Yosemite (10.10.2) version of sqlite is 3.8.5

12

Yes. The biggest change came in 3.7.1 however adding a new file format for the DB which is the problem I would expect.

http://www.sqlite.org/fileformat.html

1 Like
13

What version of the SQLite library is BigFix using? Is there a way to tell this easily?

I’m coming across many SQLite dbs on Windows I cannot read, which seems to be due to it being created with a newer version of SQLite.

This is definitely frustrating and limiting.

Partial answer:

Related:

14

In 9.5 there is a new inspector sqlite version

1 Like