I want to launch an osquery with no native tables ...
# cores
seph
11/18/2019, 8:35 PM
I want to launch an osquery with no native tables registered. Is there a way to do this, or prior art?
z
zwass
11/18/2019, 8:36 PM
@groob did this at some point
j
Jams
11/18/2019, 8:37 PMDoes
--disable_tables VALUE Comma-delimited list of table names to be disableds
seph
11/18/2019, 8:38 PM
Empirically not. The table is still registered. For an extension to register it. I need to stop it earlier
g
groob
11/18/2019, 9:30 PM
there’s a build flag for this
groob
11/18/2019, 9:31 PM
i hope you’re not doing this as a hack to generate schemas, because there’s a better way
groob
11/18/2019, 9:31 PM
(which was the initial reason I looked into it)
groob
11/18/2019, 9:33 PM
it was called
SKIP_TABLES=truegroob
11/18/2019, 9:33 PM
not sure if it’s still there
s
seph
11/18/2019, 9:34 PM
Not schemas. I remember there’s something else for that.
seph
11/18/2019, 9:34 PM
Did SKIP_TABLES merge anywhere I can find it?
g
groob
11/18/2019, 9:34 PM
yeah, for schemas there’s a nice thrift api that gives you the columns for any query
groob
11/18/2019, 9:35 PM
my worry is that it got deleted https://github.com/osquery/osquery/issues/4308
s
seph
11/18/2019, 9:35 PM
Looks like maybe https://github.com/osquery/osquery/pull/2335
g
groob
11/18/2019, 9:37 PM
that’s old
s
seph
11/18/2019, 9:37 PM
Yes, yes it is
g
groob
11/18/2019, 9:37 PM
github needs codesearch /offtopic
groob
11/18/2019, 9:43 PM
I wonder if commenting this line out is enough to achieve the same https://github.com/osquery/osquery/blob/master/osquery/CMakeLists.txt#L18
groob
11/18/2019, 9:44 PM
the old file had this:
Copy code
if(NOT SKIP_TABLES)
add_subdirectory(tables)s
Stefano Bonicatti
11/19/2019, 12:51 AMNot really, because there are possibly references to the targets created by that subfolder.
One would either have to conditionally link to them or create an INTERFACE target, which does nothing.. so the other referencing it are happy and do not try to link something that doesn't exists.
This still doesn't guarantee it compiles though, there might be code referencing those tables?
s
seph
11/19/2019, 3:54 AM
Poking around, AFAICT the existing disable_table mechanism ends up preventing the xConnect and xCreate from ever triggering.
virtual_table.cpp:1057seph
11/19/2019, 4:30 AM
Ah… The REGISTER call is in the codegen, but the plumbing them happens virtual_table.cpp. Which makes me wonder why the blacklist is only in virtual_table.
seph
11/19/2019, 2:22 PM
Poking around, it’s somewhat hard to move it.
codegen adds a REGISTER macro, which expands into a AutoRegisterInterface::autoloadPlugin call (in registry_interface.cpp). I can hardcode skipping tables from being registered there. but it looks like the flags and blacklist aren’t parsed yet.
seph
11/19/2019, 2:22 PM
So it’s hard to do something based on those. I’m not yet sure if this is an easy fix or not.
seph
11/19/2019, 2:22 PM
Making a compile-time mechanism is, obviously, easy
7 Views