Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
c
Chris B
11/08/2019, 12:15 AMHey folks, I’m interested in building an extension for osquery to monitor socket events on macOS. Is anyone available and willing to help me get the C++ environment set up to get started? Thanks!
t
theopolis
11/08/2019, 12:36 AMHi Chris! Generally yes, but prefer to try to get as far as you can yourself using the docs, and then reach out for help when you get stuck.
c
Chris B
11/08/2019, 12:43 AMHey, I spent the better portion of the day trying to get setup in a couple different IDEs and read through the readthedocs a few times. I also tried google and stack overflow but still having dependency errors.
Usually I’m able to figure stuff out but C++ always kicks my butt.
t
theopolis
11/08/2019, 1:00 AMSorry to hear, can you provide some specifics about what's going on? What IDE, what are the errors? Common issues include not having a newish
gitc
Chris B
11/08/2019, 1:08 AMAbsolutely! So I’m using vscode 1.39.2 on MacOS, git 2.20.1, and I checked to be sure the cloned osquery folder and all sub folders were added in my vscode project’s includepath.
For the record, I’m not stuck on this ide and if you’re more familiar with another one I’d gladly switch to get up and running.
The problem is the imports to osquery sdk don’t seem to resolve, and the docs I read to compile the sample extension won’t even work.
s
seph
11/08/2019, 3:29 AMCan you compile/build outside the IDE?
Trying to separate what’s an IDE configuration vs a build tool chain.
If you start with a clean checkout, do the build instructions work?
c
Chris B
11/08/2019, 6:15 PMHey @seph, yes a clean build works great, although it doesn’t build osqueryi.
s
seph
11/08/2019, 6:15 PMosqueryi is a a symlink to osqueryd. Same binary, it changes modes based on the name.
Or you can use
osqueryd -Sc
Chris B
11/08/2019, 6:16 PMAwesome! Good to know.
s
seph
11/08/2019, 6:16 PMAwesome that you’re build works! So now you’re trying to get IDE integration?
I have no useful advice — I don’t use IDEs. But if you get good instructions, it’s worth documenting
c
Chris B
11/08/2019, 6:17 PMYes so I can start building. tbh I have no idea what I’m doing with c++ but was going to replicate the event subscriber code for processes and sshlogins on Mac.
I’m fine with not using an ide honestly, as long as I’m able to make minor changes to code and rerun to test changes without rebuilding the whole package. Any command line guidance you can give me for that would be great.
s
seph
11/08/2019, 6:19 PMBoth cmake and buck should do an incremental build, so you’re okay there.
Personally, I use emacs and vi. I don’t feel like I can comment on coding environment. I expect most things will work, though there may be some weirdness around the edges
c
Chris B
11/08/2019, 6:20 PMAre there any special commands I need for the rebuild after I make changes? When I follow the build instructions on the osquery docs to rebuild based on my changes I get all sorts of errors.
Is the command to compile/build changes different?
s
seph
11/08/2019, 6:21 PMI usually run
make -j8I would not re-run cmake unless you’re changing cmake files. I don’t know if it should error out, that seems weird
c
Chris B
11/08/2019, 6:22 PMThat seems to have worked for a rebuild! Fantastic, and now that you mention it I remember that from a compsci course hahaha.
Ok good, so I’m not sure if you have any experience with developing the event based tables, particularly on macOS, but I’m trying to essentially create a new openbsm event subscriber by copying the code in /osquery/osquery/tables/events/darwin/openbsm_events.cpp and modifying it to pull openbsm network events.
s
seph
11/08/2019, 6:27 PMGenerally I’m excited when people are developing tables! it’s great to see more people working on it.
Is this a subset of the bsm data? If so, does it merit a new table? Or is it data in another?
c
Chris B
11/08/2019, 6:28 PMYes this would be my first open source contribution so I’m excited, but I have limited time on the project so hoping to get started quickly!
Yes this data should be captured in openbsm/audit code already implemented. I just need to add an event handler and call back for these particular event types and parse the fields into a table.
Theoretically I know what I need to do but not great at c++ and have no knowledge of the codebase
I am basically trying to implement a socket_events table for macOS like the one in Linux.
s
seph
11/08/2019, 6:31 PMThat sounds neat. I don’t know that part of the code very well. I can’t speak to whether or not there’s similar functionality, or where to look for inspiration.
But I’d probably recommend asking in #general, and not in the bottom of this thread about IDEs 🙂
c
Chris B
11/08/2019, 6:33 PMHaha ok I’ll do that, in the meantime do you know anything about how to implement tables? For instance I’m trying to see how they implemented the process_events table so I can do the same for socket_events, but I can’t find it.
s
seph
11/08/2019, 6:35 PMI’ve written tables, yes. But not evented ones.
https://github.com/osquery/osquery/pull/5488 is a PR for a table we decided not to include. But it’s a pretty simple example.
I’d generally start by reading a table spec, say
specs/darwin/disk_events.tableimplementation("events/darwin/disk_events@disk_events::genTable")But I know there’s another piece to understand in events
c
Chris B
11/08/2019, 6:40 PMVery cool, at first glance I’m not seeing the event table specs but the function names look the same across all of them. I’ll keep searching the repo and check out that PR! Thanks for the help today.
s
seph
11/08/2019, 6:41 PMme neither. Which is why I’m pretty sure I don’t know how to write an evented table.
Reading old PRs can help. Or digging through some of the docs
c
Chris B
11/08/2019, 6:41 PMAh it may be under the posix folder!
Great I’ll def do that