Any plan to integrate something like google rapid response (https://github.com/google/grr) in OSQuery? I would be amazing to get this type of functionality from osquery directly.
03/24/2022, 10:46 AM
Seems like it is written in Python; there is a Python SDK to connect to osquery and export tables and other plugins
Additionally, when implemented inside an extension, a table plugin can support write access (i.e. INSERT INTO, UPDATE, DELETE FROM)
We have already seen tables that can add/remove firewall rules or kill processes
03/24/2022, 11:44 AM
But i dont wnna install 2 different agents. If we can combine both agents that would be awesome.
03/24/2022, 7:17 PM
They may be different projects with different goals.
What abilities from GRR would you add to osquery?
03/25/2022, 7:29 AM
It would be cool to get some of the below mentioned features:
• Live remote memory analysis
• Powerful search and download capabilities for files
• OS-level and raw file system access
• Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
Sever side :
• Fully fledged response capabilities handling most incident response and forensics tasks. (shutting down some app, isolating machine from internet etc)
03/25/2022, 11:22 AM
Osquery has many of those client features.
But osquery does not aim to control the machine. So the core project will not gain thjnfs like shutdown or app isolation.
I think it would be interesting if someone added that kind of functionality to an extension.