Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
mikermcneil
03/17/2022, 1:56 AMDo osquery extensions enable an ecosystem/platform for vendors like this who want to hook into an existing agent without writing their own?
If so, what docs, extension-loader error messages, extension linting/tools for extension devs, and tutorials are we missing to make it dead simple?
https://techcrunch.com/2022/03/16/clockwork-raises-21m-to-keep-server-clocks-in-sync/
s
seph
03/17/2022, 9:22 PMI am flabbergasted that an NTP replacement got 21million in funding.
But anyhow. I’m not really sure about your question. It seems to be about whether osquery could be a part of some larger ecosystem of agent based tools.
Which spans both C level market analysis, and potentially deep osquery knowledge.
My sense here is that:
1. osquery is a good agent, for things it’s good at
2. Many things osquery will not be good at. For example, clockwork likely requires some keep kernel hooks, and very tight latency requirements
3. Many companies will eschew using an OSS or third party agent, thinking that they need to own the agent themselves. This is akin to build vs buy, or NIH, but also different
4. There might be a market place / ecosystem for some kind of common agent and plugins. Could be interesting to imagine.
👍 1
We do, somewhat, see osquery in a lot of random commercial EDR software. But there’s no real ecosystem there, since there is little incentive for the EDR vendors to play nice
m
Mike Myers
03/18/2022, 1:58 AMI would give osquery a B- for extensibility via its extensions and plugins interfaces, but a D+ for acting as a reusable library or dependency you can just wrap into your agent and ship
👍 1
s
seph
03/18/2022, 1:59 AMI’d probably give it more than a D+, but it’s oriented around being a daemon not a library.
👍 2
m
Mike Myers
03/18/2022, 2:10 AMit does get point-in-time information well as
osqueryiosquerydyes, and, it's just something that maybe has to be explained better in the wiki, since a lot of vendors want osquery-as-a-library
👍 1
m
mikermcneil
03/18/2022, 2:13 AMAnything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully?
There's pretty good docs here, though it doesn't look "easy" yet, per se:
https://osquery.readthedocs.io/en/stable/development/osquery-sdk/#using-the-example-extension
m
Mike Myers
03/18/2022, 2:36 AMThere are some backlogged issues for improving it. But most are not for making it easier, that would be an area for suggestion. https://github.com/osquery/osquery/issues?q=is%3Aissue+is%3Aopen+label%3Aextensions
👍 1
:ty: 1
s
seph
03/19/2022, 1:10 PMAnything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully?With a reasonable SDK (go, python, maybe even ruby. Not c++) IMO the real difficulty is in understanding the model for how everything works. Like, I can make a go extension in an hour. But I’m pretty deeply versed in the osquery ecosystem, so I’m not exactly an average user.
👍 1
A little bit, it’s akin to writing apache cgi scripts. Once you understand, it’s easy. But understanding takes awhile.