Note: the releases page has download links for our extensions. Provided an event driven table that contains entries from the unified system log on MacOS.ĪPI updates on macOS 10.15 permit moving this functionality into core osquery. Uses libpcap and Pcap to capture and parse network requests. Provides an event-based table that lists DNS requests performed by the endpoint. Provides a superset of the information supplied by the default iptables table Provides a table that reports MDM enrollment status. Provides osquery with the ability of listing and locking Windows synchronization objects (mutants, events, semaphores). Provides osquery with NTFS-specific forensic information for incident responders. Provides osquery with the ability to view and manage the OS-native firewall rules and /etc/hosts file (port and host blocking). Check DENY events and manage the whitelist/blacklist rules. Integrates osquery with the Santa application whitelisting solution. Integrates osquery with the Duo Labs EFIgy API to determine if the EFI firmware on your Mac fleet is up-to-date. To learn more about osquery extensions development and why developing outside of 'core' is encouraged for demonstrating new use cases or novel functionality, view our talk ( slides, video) from Quer圜on 2018. Trail of Bits has developed extensions to provide tables that can manage service configurations as well as view them, or that can cross-check information on the host with external third-party services. In extensions, we can add capabilities that go beyond what would be possible in osquery core. Here, we use it to demonstrate other pioneering use cases of osquery. The extensions interface allows organizations to implement proprietary detection methods, or address their individual needs. If you would like to sponsor the development of an extension, please contact us.Įxtensions are a type of osquery add-on that can be loaded at runtime to provide new virtual tables. FoobarColumns returns the columns that our table will return.įunc FoobarColumns() table.This repository includes osquery extensions developed and maintained by Trail of Bits. Server.RegisterPlugin(table.NewPlugin("foobar", FoobarColumns(), FoobarGenerate)) a slice of Columns and a Generate function. table.NewPlugin requires the table plugin name, Create and register a new table plugin with the server. Log.Fatalf("Error creating extension: %s\n", err) Server, err := osquery.NewExtensionManagerServer("foobar", *socket) Log.Fatalf(`Usage: %s -socket SOCKET_PATH`, os.Args) Socket := flag.String("socket", "", "Path to osquery socket file") Consider the following Go program: package main If you want to create a custom osquery table in Go, you'll need to write an extension which registers the implementation of your table. Using the library Creating a new osquery table This library is compatible with Go Modules. For more information about how this process works at a lower level, see the osquery wiki. You can then have osquery load the extension in your desired context (ie: in a long running instance of osqueryd or during an interactive query session with osqueryi). To create an extension, you must create an executable binary which instantiates an ExtensionManagerServer and registers the plugins that you would like to be added to osquery. This project contains Go bindings for creating osquery extensions in Go. are implemented via a robust plugin and extensions API. In osquery, SQL tables, configuration retrieval, log handling, etc. If you're interested in learning more about osquery, visit the GitHub project, the website, and the users guide. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. This allows you to write SQL-based queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. NewExtensionManagerServer(name, sockPath, opts)
0 Comments
Leave a Reply. |