Are there any tables or extensions that fork a new process in their

generate()

implementations? Is there a recommended way to handle this? In my case it would only need to work on POSIX systems. The data I'm trying to get is only exposed via a command line interface.

In osquery core no, spawning a process to do such work has all sort of potential issues (performance, security, stability of the interface). Extension can do what they want since they are separate processes. So for core the recommended way is that libraries should be used, or code be written to extract that same data (inspired by the code of the CLI, if it's open source)

unfortunately it's not open source, but not trying to add a table to core either! this would definitely be an extension

If you're taking the code to launch a process, probably using

posix_spawn

simplifies a little the process

There are many osquery extensions that exec binaries. I’ve seen them in python and written them in go. It should work fine in c/c++

woahh I totally missed that there are python bindings! That's awesome

The extension interface is via thrift. Anything thrift supports, can be used as an extension. I’ve used ruby, though there’s nothing official there. Also notable is that if you don’t like the SDK, you don’t have to use it — the API is just thrift