Title
#extensions
s

seph

02/18/2020, 2:47 PM
I’m not sure you’re going to get a better set of answers than you did in https://osquery.slack.com/archives/C08V7KTJB/p1581915978247200 While here, or #windows would have been more appropriate, it’s still the same people
duongtt

duongtt

02/18/2020, 3:25 PM
Yeah, I understand. Thank you for giving opinions.
s

seph

02/18/2020, 3:35 PM
I’m not sure how many folks are still on the version 3 branch. A lot of focus is on v4.
3:36 PM
Are there reasons you can share about wanting to stay in the 3.x line?
duongtt

duongtt

02/18/2020, 3:52 PM
Thank you for replying me 😆 Currently in linux side, I had build my own extension with osquery version 3.3.2 successfully. Now, I need to make things done in windows. So seems like in version 4.x, it's hard to build extensions
s

seph

02/18/2020, 3:53 PM
I thought the 4.1 line was pretty reasonable for extension building. But I work mostly in go, so it’s a different extension ecosystem.
duongtt

duongtt

02/18/2020, 3:54 PM
i.e: I have tried the lastest version of osquery, and try to build the trailofbits extension, but seems like it don't build in the right way
3:56 PM
Also, I met some problems when using C++ for building extensions. In the version 3.3.2,
#include <osquery/sdk.h>
works well, but in version 4.x, the path changes to
<osquery/sdk/sdk.h>
, but I still don't get it right
3:58 PM
Thank you for your suggestion. Btw, if I try to build my extension again using Go, where do I need to start?
s

seph

02/18/2020, 4:26 PM
Generally speaking, I think you should write extensions in whatever language you’re most comfortable in. In all cases, they will likely require some amount of work to get going the first time.
duongtt

duongtt

02/18/2020, 4:50 PM
Woww, those are really nice documents. Thank you 😆
4:51 PM
And yes, I had my own extension in C++, the problem only is building it with osquery
s

seph

02/18/2020, 4:51 PM
I suspect that people will help you get it built on v4. Mostly I think people should use the languages they know and like. ¯_(ツ)_/¯
duongtt

duongtt

02/18/2020, 4:53 PM
Wow yes, I really appreciate that. And it's glad to receive your quickly response. Your suggestions help me alot
s

seph

02/18/2020, 4:53 PM
I’m happy I can help a little.
Stefano Bonicatti

Stefano Bonicatti

02/18/2020, 4:55 PM
By the way our extensions in the master branch target 3.3.2; also, last time we worked with the official osquery 3.3.2, it wasn't building properly. We have made a fork for that (osql) and other reasons. That been said I suggest too to use 4.x; you can have a look to what's needed here (https://github.com/trailofbits/osquery-extensions/pull/51), or if you simply want to build our extensions for 4.x
4:55 PM
It's true though that docs on the Wiki have to be updated for the latest version.
duongtt

duongtt

02/18/2020, 4:58 PM
Let me summarize your ideas. If I want to build trailofbits extension with osquery version 4.x, I will need to cherry-picking all the commits in your link: https://github.com/trailofbits/osquery-extensions/pull/51 Am I right? Sorry because I'm still new with these awesome techniques
Stefano Bonicatti

Stefano Bonicatti

02/18/2020, 5:05 PM
You don't need to cherry-pick, you can just fetch the branch where that PR is, which is local and which is named
extension_porting_4.0.1
(yay mismatched versions, but it has been a WIP for a bit).
duongtt

duongtt

02/18/2020, 5:08 PM
So kinda I will need to fetch that branch to build trailofbit extension with osquery version 4.x.
5:11 PM
I will try your suggestions. Thank you @Stefano Bonicatti