Things like DNS query or TLS SNI sniffing. Both of which I’ve as patches to OSQuery that have rightly been rejected because doing packet parsing in a non-memory safe language unless you really know what you’re doing is a bad idea…
These both generating lots of rows though so would be a good fit for an events table
09/10/2020, 4:36 AM
This is the patch from the PR that has been closed right? I don't think it's a problem with the language itself, there are several production quality tools out there using libpcap.
There are some requirements that must be met regardless of how much safety the language provides:
1. Fuzzing on the packet parsers
2. Extensive unit testing
3. Separating privileges in a good way. This can be easily done the way other tools based on pcap are doing
The PR was closed for two reasons: privacy concerns (which may be negotiable with a blueprint issue), and the lack of the above 3 requirements (mandatory, biggest issue)
09/10/2020, 12:06 PM
Yep correct. Completely agree it’s do-able (and I’m excited for the eBPF PR!) but, as you say, requires a lot of extra stuff to be confident it’s safe.
That’s mainly why I was interested if this was possible as a plugin i.e. because writing something as Go plugin means you can be a bit laxer (crashes aren’t a security risk and wouldn’t take down the whole of osqueryd with it)