Does osquery has any support to launch extensions ...
# generals
suppandi
09/28/2020, 4:20 AMDoes osquery has any support to launch extensions on-demand instead of auto loading extensions at start
a
alessandrogario
09/28/2020, 12:03 PM
This is not supported; extensions can be started
1. by osquery, when starting. this is done through the configuration
2. manually; if osquery is correctly setting up the extension socket, then the extension will automatically connect back to osquery once started
It is currently not possible to start extensions on demand. Given a configuration file that maps table_name -> extension on disk, you could in theory automatically start the extension when the registry fails to lookup a table.
EDIT: Maybe you can open a feature request/blueprint issue
alessandrogario
09/28/2020, 12:24 PM
This is where the lookup happens: https://github.com/osquery/osquery/blob/master/osquery/registry/registry_interface.cpp#L132
alessandrogario
09/28/2020, 12:27 PM
Possible problems: the extension takes a while to startup and connect back. You would have to wait until it comes online. In the meanwhile however osquery is inside the SQLite code, potentially blocking everything.
One possible solution could be to not block anything and let the query fails. By the next time a query attempts to hit the table the extension will be up and running
alessandrogario
09/28/2020, 12:28 PM
This can easily conflict with some of the other configuration settings in osquery; it's better to open a blueprint issue first if the intent is to merge this upstream
s
suppandi
09/28/2020, 12:29 PMWe were thinking of making watcher.cpp functions public as it has already capability built into it in terms of launching extension and maintaining the list in a map
t
theopolis
09/28/2020, 3:17 PM
What is the scenario or use case you have where on-demand extension loading is a potential solution?
How do you imagine this working, do you have a configuration management tool that is deploying new extensions and you need to tell
osqueryds
suppandi
09/28/2020, 3:29 PMThe idea is to control scan intervals and loading of extensions from central server. Rather bundling all extensions as part of os query
suppandi
09/28/2020, 3:30 PM@theopolis
t
theopolis
09/28/2020, 5:13 PM
Will the central server send the extension to a host on-demand?
s
suppandi
10/01/2020, 5:13 AMyes
t
theopolis
10/01/2020, 12:56 PM
If the central server is something that you are designing, and not already built, it could restart the osqueryd service each time a new extension is delivered and make the appropriate change to the autoload file.
theopolis
10/01/2020, 12:59 PM
I’ll take another look at the extension loading code but I think it will be very complex to support on demand loading.
s
suppandi
10/27/2020, 1:11 PMOkay Thanks @theopolis
4 Views