https://github.com/osquery/osquery logo
Powered by
Title
m

Matt Ackard

10/14/2020, 3:27 PM
Hi all, I'm getting a 
could not start extension process
error when trying to use a python .ext extension. It only works if I suspend osqueryi and run the extension with python. Any help would be appreciated. The extension is the sample python extension, I'll paste it in thread
#!/usr/bin/env python

import osquery


@osquery.register_plugin
class MyTablePlugin(osquery.TablePlugin):
    def name(self):
        return "foobar"

    def columns(self):
        return [
            osquery.TableColumn(name="foo", type=osquery.STRING),
            osquery.TableColumn(name="baz", type=osquery.STRING),
        ]

    def generate(self, context):
        query_data = []

        for _ in range(2):
            row = {}
            row["foo"] = "bar"
            row["baz"] = "baz"
            query_data.append(row)

        return query_data


if __name__ == "__main__":
    osquery.start_extension(name="my_awesome_extension", version="1.0.0")
c

CptOfEvilMinions

10/14/2020, 3:53 PM
@Matt Ackard please try running 
osqueryi
with 
--allow_unsafe
and see if that works. If so it might be a permissions issue.
If it does work after adding that flag please see the following Osquery documentation to set the correct permissions: https://osquery.readthedocs.io/en/stable/deployment/extensions/
m

Matt Ackard

10/14/2020, 5:31 PM
allow_unsafe doesn't change anything. I think it may be thrift socket related. I get errors from TServerSocket and TServerTransport if I leave the osqueryi process running when it fails to start the extension
got it. it was a combination of permissions and default python binary. thanks
😛artyparrot: 1
4 Views
#generalJoin Slack
Powered by