https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey folks! Does anyone here have experience implem...
# general
c
Hey folks! Does anyone here have experience implementing new evented tables, particularly in macOS/openbsm? I am trying to implement a socket_events table on macOS but am unsure which files are needed to accomplish this. If anyone could give me a high level overview of what I need to do, I would appreciate it! Thanks!
z
Have you taken a look at https://osquery.readthedocs.io/en/latest/development/pubsub-framework/? You'll need to implement an event publisher and a subscriber. I've done this before, for example in https://github.com/osquery/osquery/pull/1961/files.
c
This is great, thanks! The pr shod definitely help. I’m trying to essentially create a new openbsm event subscriber by copying the code in /osquery/osquery/tables/events/darwin/openbsm_events.cpp and modifying it to pull openbsm network events.
So essentially I’m able to reuse their openbsm publisher located at osquery/osquery/events/Darwin/openbsm.cpp, and add my code into their subscriber at the openbsm_events.cpp.
With that said, it seems like the only thing I need is the table spec so I’ll take a crack at that final piece, then build and see if I can access the table.
z
Yeah total bonus if you can just create a subscriber!
c
Absolutely! Also, just played with kolide fleet in my environment and built a proof of concept using it..seriously amazing work! We are going to implement it here very soon.
z
Awesome, glad to hear it!
What's your company?
c
Okta
z
Oh nice, I know y'all have been playing with osquery for some time now.
Please reach out if you'd ever like to work together beyond chatting via Slack 🙂
c
Yep, I’m fairly new here but trying to overhaul things. I’ll definitely keep you in mind and appreciate your time and help!
🍻 1
s
There are good osquery folks here. (as well as kolide and other vendors)
👍 1
2 Views
Open in Slack
PreviousNext
Powered by