I am a noob to osquery please excuse if the usage of plugin osquery #extensions

I am a noob to osquery - please excuse if the usag...

EchoBat

06/13/2023, 9:46 AM

I am a noob to osquery - please excuse if the usage of 'plugin' and 'extension' in the following text are incorrect. osquery service is stopped and the interactive shell is started using the Administrator Command Prompt as

osqueryi --verbose --nodisable_extensions --disable_logging=false --flagfile="c:\Program Files\osquery\osquery.flags" --S --config_path="c:\Program Files\osquery\osquery.conf"

I am using https://github.com/osquery/osquery-go/blob/master/examples/config/main.go to create a config plugin for osquery under Windows 10. From a normal command prompt, this plugin is launched as below (assume the socket as given in the arg below)

go run .\main.go --socket  \\.\pipe\shell.em

The osquery_extensions table shows that the config plugin is loaded. But the osquery_schedule does not show the scheduled queries from the GenerateConfig function in the above main.go file. The results log file does not contain the query results too. Is there anything I am missing?

seph

06/15/2023, 4:31 AM

No worries being new, welcome aboard!

seph

06/15/2023, 4:31 AM

It sounds like you’re trying to have osquery get a config file from an extension?

seph

06/15/2023, 4:35 AM

I’m not sure what’s in your osquery.flags file, but that command line seems amiss: 1. You’re specifying

--config_path

which is contrary to your goal 2. I would expect you to need

--config_plugin

to tell osquery to get it from a plugin 3. Probably also need

--extensions_require

so that osquery waits for the plugin to register itself.

seph

06/15/2023, 4:35 AM

There’s also some weirdness around using shell mode to test scheduled queries. I don’t know if that will fall short

EchoBat

06/16/2023, 8:04 AM

@seph Thank you for the points. I did not need the

--extensions_require

but I was able to get it working with the osqueryi. Now as you said about the weirdness 🙂 , proceeding with these inputs for osquery service. Will update here the details once I get it working with osquery service.

seph

06/16/2023, 3:18 PM

You need

--extensions_require

if your using osqueryd. Otherwise startup can create race conditions between waiting for the config plugin and requesting the config

EchoBat

08/29/2023, 12:48 PM

Hey, I missed providing my update here, in case someone finds it useful. The config plugin worked, thank you for your help @seph osquery.flags contents are:

Copy code

--logger_plugin=filesystem
--logger_path=D:\test\
--extensions_socket=\\.\pipe\myshelltest.em

I was sanity testing with osqueryi.exe from the command-line, and the following command works with the above flags file.

Copy code

osqueryi.exe -S ^
	--disable_extensions=false ^
	--allow_unsafe ^
	--flagfile="c:\Program Files\osquery\osquery.flags" ^
	--disable_logging=false ^
	--extension c:\osquery\build\external\examples\config_plugin\RelWithDebInfo\config_plugin_extension.ext.exe ^
	--config_plugin example ^
	--force=false ^
	--extensions_socket="\\.\pipe\myshelltest.em" ^
	--verbose

Now the extension is loaded, logs are available at the given folder. I spent a lot of wasted days because I was using the following command, which fails.

Copy code

...
	--extensions_socket="\\.\pipe\myshelltest.em" ^
	--verbose ^

Note that the ^(caret) and then an empty line was for convenience to be able to rearrange the parameters. But the last line in the Windows command with a ^(caret) fails the command.

3 Views

Open in Slack

Previous Next