https://github.com/osquery/osquery logo
Powered by
Title
s

slevchenko

11/16/2021, 3:51 PM
Hi everyone. Does anybody know if it's possible to run python extensions on current version of osqueryd ? I'm able to run my extension (script) without osquery and it works, I'm able to run is via 
osqueryi --extension X
and it works too, but not when used via osqueryd, plugin getting registered, and that: 
plugin X registered 
plugin X failed validation 
plugin X gone away
m

Mike Myers

11/16/2021, 7:52 PM
Can you run with 
--verbose
to see if there's more output about what is happening? Is the extension process and osquery both running as 
root
? Where is this message about "failed validation" coming from?
s

slevchenko

11/17/2021, 9:11 AM
1. Running osqueryd in foreground, gives no relevant output except: 
I1117 10:53:12.349642 22285 interface.cpp:137] Registering extension (trusted_apps, 3493, version=0.0.1, sdk=1.8.0)
I1117 10:53:12.349845 22285 registry_factory.cpp:107] Extension 3493 registered table plugin trusted_apps
I1117 10:53:13.017935 21122 extensions.cpp:316] Extension UUID 3493 initial check failed
1. Extension is running as systemd service, in order to ensure that it's running: 
[Unit]
Description=OSQuery trusted apps extension table
Wants=osqueryd.service ## Ensuring OSQuery service file installed
After=osqueryd.service ## Ensuring extension starts service file installed

[Service]
Requires=osqueryd.service ## Ensuring osqueryd service is in running state before starting
User=root  ## Ensuring extension will have enough privileges to connect socket
Group=root ##
TimeoutStartSec=infinity   ## Ensuring osqueryd boots up properly before extension starts
ExecStartPre=/bin/sleep 10 ##
ExecStart=/usr/local/bin/osquery-trusted-apps.py --socket /var/osquery/osquery.em ## script privileges are set to 700
Restart=always

[Install]
WantedBy=multi-user.target
1. So service actually starting and is bale to connect to socket: 
osquery-trusted-apps.service - OSQuery trusted apps extension table
     Loaded: loaded (/etc/systemd/system/osquery-trusted-binaries.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-11-17 10:43:37 EET; 2min 19s ago
   Main PID: 18849 (osquery-trusted)
      Tasks: 2 (limit: 38354)
     Memory: 7.8M
     CGroup: /system.slice/osquery-trusted-apps.service
             └─18849 /usr/bin/python3 /usr/local/bin/osquery-trusted-apps.py --socket /var/osquery/osquery.em
2. 
Validation failed
is an output mentioned below, and it seems to be coming from osqueryd service, simultaneously with extension start 
I1117 10:53:12.349642 22285 interface.cpp:137] Registering extension (trusted_apps, 3493, version=0.0.1, sdk=1.8.0)
I1117 10:53:12.349845 22285 registry_factory.cpp:107] Extension 3493 registered table plugin trusted_apps
I1117 10:53:13.017935 21122 extensions.cpp:316] Extension UUID 3493 initial check failed
JFYI. I've finally resolved an issue by using osquery autoload mehanism. For extension to work once following conditions met: 1. Extension is pointed to default extension socket 
/var/osquery/osquery.em
2. 
root:root
is an extension owner (that's known and expected requirement) 3. Python script ends with 
.ext
extension
Anyway thanks for help
m

Mike Myers

11/18/2021, 5:33 PM
Glad you have found a resolution -- should we update the extensions documentation?
s

slevchenko

11/18/2021, 5:53 PM
Yeah I think it'll be very helpful to indicate that for extensions to autoload, any kind of extension file (be it native, or golang, python,..) has to have 
.ext
extension
💯 1
#generalJoin Slack
Powered by