Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
suppandi
09/28/2020, 4:20 AMDoes osquery has any support to launch extensions on-demand instead of auto loading extensions at start
a
alessandrogario
09/28/2020, 12:03 PMThis is not supported; extensions can be started
1. by osquery, when starting. this is done through the configuration
2. manually; if osquery is correctly setting up the extension socket, then the extension will automatically connect back to osquery once started
It is currently not possible to start extensions on demand. Given a configuration file that maps table_name -> extension on disk, you could in theory automatically start the extension when the registry fails to lookup a table.
EDIT: Maybe you can open a feature request/blueprint issue
This is where the lookup happens: https://github.com/osquery/osquery/blob/master/osquery/registry/registry_interface.cpp#L132
Possible problems: the extension takes a while to startup and connect back. You would have to wait until it comes online. In the meanwhile however osquery is inside the SQLite code, potentially blocking everything.
One possible solution could be to not block anything and let the query fails. By the next time a query attempts to hit the table the extension will be up and running
This can easily conflict with some of the other configuration settings in osquery; it's better to open a blueprint issue first if the intent is to merge this upstream
s
suppandi
09/28/2020, 12:29 PMWe were thinking of making watcher.cpp functions public as it has already capability built into it in terms of launching extension and maintaining the list in a map
t
theopolis
09/28/2020, 3:17 PMWhat is the scenario or use case you have where on-demand extension loading is a potential solution?
How do you imagine this working, do you have a configuration management tool that is deploying new extensions and you need to tell
osqueryds
suppandi
09/28/2020, 3:29 PMThe idea is to control scan intervals and loading of extensions from central server. Rather bundling all extensions as part of os query
@theopolis
t
theopolis
09/28/2020, 5:13 PMWill the central server send the extension to a host on-demand?
s
suppandi
10/01/2020, 5:13 AMyes
t
theopolis
10/01/2020, 12:56 PMIf the central server is something that you are designing, and not already built, it could restart the osqueryd service each time a new extension is delivered and make the appropriate change to the autoload file.
I’ll take another look at the extension loading code but I think it will be very complex to support on demand loading.
s
suppandi
10/27/2020, 1:11 PMOkay Thanks @theopolis