https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey folks, I’m interested in building an extension...
# general
c
Hey folks, I’m interested in building an extension for osquery to monitor socket events on macOS. Is anyone available and willing to help me get the C++ environment set up to get started? Thanks!
t
Hi Chris! Generally yes, but prefer to try to get as far as you can yourself using the docs, and then reach out for help when you get stuck.
c
Hey, I spent the better portion of the day trying to get setup in a couple different IDEs and read through the readthedocs a few times. I also tried google and stack overflow but still having dependency errors.
Usually I’m able to figure stuff out but C++ always kicks my butt.
t
Sorry to hear, can you provide some specifics about what's going on? What IDE, what are the errors? Common issues include not having a newish 
git
version (we're trying to address this). And the GitHub issues might be a good place to pattern match against problems were working on.
c
Absolutely! So I’m using vscode 1.39.2 on MacOS, git 2.20.1, and I checked to be sure the cloned osquery folder and all sub folders were added in my vscode project’s includepath.
For the record, I’m not stuck on this ide and if you’re more familiar with another one I’d gladly switch to get up and running.
The problem is the imports to osquery sdk don’t seem to resolve, and the docs I read to compile the sample extension won’t even work.
s
Can you compile/build outside the IDE?
Trying to separate what’s an IDE configuration vs a build tool chain.
If you start with a clean checkout, do the build instructions work?
c
Hey @seph, yes a clean build works great, although it doesn’t build osqueryi.
s
osqueryi is a a symlink to osqueryd. Same binary, it changes modes based on the name.
Or you can use 
osqueryd -S
c
Awesome! Good to know.
s
Awesome that you’re build works! So now you’re trying to get IDE integration?
I have no useful advice — I don’t use IDEs. But if you get good instructions, it’s worth documenting
c
Yes so I can start building. tbh I have no idea what I’m doing with c++ but was going to replicate the event subscriber code for processes and sshlogins on Mac.
I’m fine with not using an ide honestly, as long as I’m able to make minor changes to code and rerun to test changes without rebuilding the whole package. Any command line guidance you can give me for that would be great.
s
Both cmake and buck should do an incremental build, so you’re okay there.
Personally, I use emacs and vi. I don’t feel like I can comment on coding environment. I expect most things will work, though there may be some weirdness around the edges
c
Are there any special commands I need for the rebuild after I make changes? When I follow the build instructions on the osquery docs to rebuild based on my changes I get all sorts of errors.
Is the command to compile/build changes different?
s
I usually run 
make -j8
I would not re-run cmake unless you’re changing cmake files. I don’t know if it should error out, that seems weird
c
That seems to have worked for a rebuild! Fantastic, and now that you mention it I remember that from a compsci course hahaha.
Ok good, so I’m not sure if you have any experience with developing the event based tables, particularly on macOS, but I’m trying to essentially create a new openbsm event subscriber by copying the code in /osquery/osquery/tables/events/darwin/openbsm_events.cpp and modifying it to pull openbsm network events.
s
Generally I’m excited when people are developing tables! it’s great to see more people working on it.
Is this a subset of the bsm data? If so, does it merit a new table? Or is it data in another?
c
Yes this would be my first open source contribution so I’m excited, but I have limited time on the project so hoping to get started quickly!
Yes this data should be captured in openbsm/audit code already implemented. I just need to add an event handler and call back for these particular event types and parse the fields into a table.
Theoretically I know what I need to do but not great at c++ and have no knowledge of the codebase
I am basically trying to implement a socket_events table for macOS like the one in Linux.
s
That sounds neat. I don’t know that part of the code very well. I can’t speak to whether or not there’s similar functionality, or where to look for inspiration.
But I’d probably recommend asking in #C08V7KTJB, and not in the bottom of this thread about IDEs 🙂
c
Haha ok I’ll do that, in the meantime do you know anything about how to implement tables? For instance I’m trying to see how they implemented the process_events table so I can do the same for socket_events, but I can’t find it.
s
I’ve written tables, yes. But not evented ones.
https://github.com/osquery/osquery/pull/5488 is a PR for a table we decided not to include. But it’s a pretty simple example.
I’d generally start by reading a table spec, say 
specs/darwin/disk_events.table
and then digging into how it’s implemented. 
implementation("events/darwin/disk_events@disk_events::genTable")
But I know there’s another piece to understand in events
c
Very cool, at first glance I’m not seeing the event table specs but the function names look the same across all of them. I’ll keep searching the repo and check out that PR! Thanks for the help today.
s
me neither. Which is why I’m pretty sure I don’t know how to write an evented table.
Reading old PRs can help. Or digging through some of the docs
c
Ah it may be under the posix folder!
Great I’ll def do that
8 Views
Open in Slack
PreviousNext
Powered by