https://github.com/osquery/osquery logo
Powered by
Title
s

seph

11/18/2019, 8:35 PM
I want to launch an osquery with no native tables registered. Is there a way to do this, or prior art?
z

zwass

11/18/2019, 8:36 PM
@groob did this at some point
j

Jams

11/18/2019, 8:37 PM
Does 
--disable_tables VALUE                           Comma-delimited list of table names to be disabled
achieve this?
s

seph

11/18/2019, 8:38 PM
Empirically not. The table is still registered. For an extension to register it. I need to stop it earlier
g

groob

11/18/2019, 9:30 PM
there’s a build flag for this
i hope you’re not doing this as a hack to generate schemas, because there’s a better way
(which was the initial reason I looked into it)
it was called 
SKIP_TABLES=true
not sure if it’s still there
s

seph

11/18/2019, 9:34 PM
Not schemas. I remember there’s something else for that.
Did SKIP_TABLES merge anywhere I can find it?
g

groob

11/18/2019, 9:34 PM
yeah, for schemas there’s a nice thrift api that gives you the columns for any query
my worry is that it got deleted https://github.com/osquery/osquery/issues/4308
s

seph

11/18/2019, 9:35 PM
Looks like maybe https://github.com/osquery/osquery/pull/2335
g

groob

11/18/2019, 9:37 PM
that’s old
s

seph

11/18/2019, 9:37 PM
Yes, yes it is
g

groob

11/18/2019, 9:37 PM
github needs codesearch /offtopic
I wonder if commenting this line out is enough to achieve the same https://github.com/osquery/osquery/blob/master/osquery/CMakeLists.txt#L18
the old file had this: 
if(NOT SKIP_TABLES)
  add_subdirectory(tables)
https://github.com/zwass/osquery/blob/430ea13704002e505d78adda4f33192936d74a5f/osquery/CMakeLists.txt
s

Stefano Bonicatti

11/19/2019, 12:51 AM
Not really, because there are possibly references to the targets created by that subfolder. One would either have to conditionally link to them or create an INTERFACE target, which does nothing.. so the other referencing it are happy and do not try to link something that doesn't exists. This still doesn't guarantee it compiles though, there might be code referencing those tables?
s

seph

11/19/2019, 3:54 AM
Poking around, AFAICT the existing disable_table mechanism ends up preventing the xConnect and xCreate from ever triggering. 
virtual_table.cpp:1057
has a check against it. If the table is disabled, then it’s not loaded. But it’s already loaded in the registry, and sqlite has a basic schema? Clearly I’m missing something.
Ah… The REGISTER call is in the codegen, but the plumbing them happens virtual_table.cpp. Which makes me wonder why the blacklist is only in virtual_table.
Poking around, it’s somewhat hard to move it. codegen adds a REGISTER macro, which expands into a AutoRegisterInterface::autoloadPlugin call (in registry_interface.cpp). I can hardcode skipping tables from being registered there. but it looks like the flags and blacklist aren’t parsed yet.
So it’s hard to do something based on those. I’m not yet sure if this is an easy fix or not.
Making a compile-time mechanism is, obviously, easy
7 Views
#coreJoin Slack
Powered by