Title
#general
o

Ojas

03/24/2022, 9:26 AM
Any plan to integrate something like google rapid response (https://github.com/google/grr) in OSQuery? I would be amazing to get this type of functionality from osquery directly.
a

alessandrogario

03/24/2022, 10:46 AM
Seems like it is written in Python; there is a Python SDK to connect to osquery and export tables and other plugins
10:47 AM
Additionally, when implemented inside an extension, a table plugin can support write access (i.e. INSERT INTO, UPDATE, DELETE FROM)
10:47 AM
We have already seen tables that can add/remove firewall rules or kill processes
o

Ojas

03/24/2022, 11:44 AM
But i dont wnna install 2 different agents. If we can combine both agents that would be awesome.
s

seph

03/24/2022, 7:17 PM
They may be different projects with different goals. What abilities from GRR would you add to osquery?
o

Ojas

03/25/2022, 7:29 AM
Hey @seph It would be cool to get some of the below mentioned features: Agent side: • Live remote memory analysis • Powerful search and download capabilities for files • OS-level and raw file system access • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits. Sever side : • Fully fledged response capabilities handling most incident response and forensics tasks. (shutting down some app, isolating machine from internet etc)
s

seph

03/25/2022, 11:22 AM
Osquery has many of those client features.
11:23 AM
But osquery does not aim to control the machine. So the core project will not gain thjnfs like shutdown or app isolation.
11:24 AM
I think it would be interesting if someone added that kind of functionality to an extension.