https://github.com/osquery/osquery logo
Join Slack
Powered by
Is there a Python service for OSQuery?
# general
k
Is there a Python service for OSQuery?
j
There's a Python SDK for writing osquery extensions. https://github.com/osquery/osquery-python - but I'm not sure what you are asking for.
k
That is what I was looking for, just saw it wasn't updated in 2 years and thought it might have been abandoned.
j
It still seems to do the trick. We've got several extensions using it and Python 3.11.x
k
Just ripped through the setup stuff. Nothing is hard coded with top level versions. I was concerned about introduced vulnerabilities because some requests or argparse was set to a version from 4 years ago. Thanks for your time.
👍 1
s
The underlying thrift API hasn’t changed. And I’m not sure how much changes in python. It’s still current.
If there are obviously wrong things, please do open a PR.
I’m not a python person, and don’t have idiomatic views
z
Most folks are writing extensions in Go these days.
j
Some folks. 😆
😉 1
z
Some are doing C++ as well haha. All should still work.
k
Whats it at around now... 7 to 1 on the Python vs Go developers?
😆 1
j
We did use Go on Windows, so ¯\_(°_o)_/¯
z
Go is what we use at Fleet and recommend to our customers. It's also what the macadmins extensions and Kolide use. Trail of Bits uses C++ for their extensions. AFAIK we are all the biggest open source extension users. Not sure what Crowdstrike, Microsoft, etc. are using for their own extensions.
k
I was going to use swift and look at packaging this all together right on to the app store. Just simply download from apple and you can get a bunch of stuff like vulnerabilities and compliance.
Working on containers right now for fun, but the mac side is my interest.
z
Ooh fun! I'm not sure whether there's Thrift support in Swift but if so you could write your own SDK/integration. You could also just shell out to osquery which is sometimes easiest depending on your use case.
k
Right now I have just been shelling it off. Which isn't super ideal.
The fun part right now is I have a ML driven vulnerability converter that takes in NVD Records and converts them to machine testable objects. So when NVD posts a CVE without any form of platform information it can help figure out what platforms it should look for.
so example... Google Chrome... they don't release what platforms to check... we know it is damn near everything... but they only release it as
Copy code
cpe23:a:google:chrome:*:*:*:*:*:*
/// Some Version information
Probably not much different than what VulnCheck offers... but I don't know exactly everything they are up to.
z
ooh that all sounds fun!
k
It is my "dream" that vulnerability conversion rules don't need to be managed independently by each of the scanners out there... Whether that is Rapid7, FleetDM, Jamf, Crowdstrike, etc. Each of those entities don't need to keep and maintain a 
"well google:chrome is com.google.chrome"
It would be awesome to have a utility like apple does with mSCP where all of the management vendors use the same core product/service that is industry maintained and they instead work on how they want to use those detections, events, and data in their general walled garden. So that is my passion build project and figuring out how to make that happen through my post graduate stuff..
❤️ 1
z
Happy to promote/repost on LinkedIn or Twitter if you have some open source work to share 🙂
3 Views
Open in Slack
PreviousNext
Powered by