Hey all, I have been actively working with osquery and Kolide for over a few months now and I have come here multiple times for doubts and discussions. I want to thank you all especially @zwass, @seph and @fritz. To contribute back to the community I have a couple of custom osquery extensions, I just wanted to ask if custom tables are accepted as contributions or not.

Thanks! We're glad to have you. It sounds like you are referring to tables you have implemented outside the osquery C++ codebase?

yes. I am working on designing custom osquery tables using osquery-python, for which I have recently submitted a blueprint as well.

Aw, thanks for the shoutout!

We don't have any way to bring extension tables into the osquery codebase, but we certainly encourage you to share those publicly any way you see fit. We also see extension tables as an opportunity to try out ideas before possibly implementing them in core osquery.

Generally speaking, there aren’t central repositories of extensions. As Zach says, we encourage people to share things via github. Sometimes there’s interest in moving a table into core. Of if you’re working a lot with launcher (kolide’s endpoint agent), sometimes I’ll accept go based tables there. But both of these projects have their own criteria for acceptance.

Thank you both. I have a custom table that collects outstanding/pending security updates on Debian systems which I think could be helpful to the community. I'll publish it on my git then!

sounds good!

Certainly sounds like a very useful table! I'd be interested in seeing it in core assuming the functionality can be provided without shelling out to other tools. Will be curious to see your implementation.

Thanks. Essentially it is an osquery wrapper around a debian command with some regex to feed the output into the table. It does require osquery python module but that is just it. With that out of the way, I use fleet to create a baseline on it and then get notified for every new entry=pending update.

Nice!