Hey folks Does anyone here have experience implementing new

Question

Hey folks Does anyone here have experience implementing new evented tables particularly in macOS openbsm I am trying to implement a socket events table on macOS but am unsure which files are needed to accomplish this If anyone could give me a high level overview of what I need to do I would appreciate it Thanks

zwass · Answer

Have you taken a look at You ll need to implement an event publisher and a subscriber I ve done this before for example in

Chris B · Answer

This is great thanks The pr shod definitely help I m trying to essentially create a new openbsm event subscriber by copying the code in osquery osquery tables events darwin openbsm events cpp and modifying it to pull openbsm network events

Chris B · Answer

So essentially I m able to reuse their openbsm publisher located at osquery osquery events Darwin openbsm cpp and add my code into their subscriber at the openbsm events cpp

Chris B · Answer

With that said it seems like the only thing I need is the table spec so I ll take a crack at that final piece then build and see if I can access the table

zwass · Answer

Yeah total bonus if you can just create a subscriber

Chris B · Answer

Absolutely Also just played with kolide fleet in my environment and built a proof of concept using it seriously amazing work We are going to implement it here very soon

zwass · Answer

Awesome glad to hear it

zwass · Answer

What s your company

Chris B · Answer

Okta

zwass · Answer

Oh nice I know y all have been playing with osquery for some time now

zwass · Answer

Please reach out if you d ever like to work together beyond chatting via Slack slightly smiling face

Chris B · Answer

Yep I m fairly new here but trying to overhaul things I ll definitely keep you in mind and appreciate your time and help

seph · Answer

There are good osquery folks here as well as kolide and other vendors