Channels
Do osquery extensions enable an ecosystem/platform...
# extensionsm
mikermcneil
03/17/2022, 1:56 AMDo osquery extensions enable an ecosystem/platform for vendors like this who want to hook into an existing agent without writing their own?
If so, what docs, extension-loader error messages, extension linting/tools for extension devs, and tutorials are we missing to make it dead simple?
https://techcrunch.com/2022/03/16/clockwork-raises-21m-to-keep-server-clocks-in-sync/
s
seph
03/17/2022, 9:22 PM
I am flabbergasted that an NTP replacement got 21million in funding.
seph
03/17/2022, 9:23 PM
But anyhow. I’m not really sure about your question. It seems to be about whether osquery could be a part of some larger ecosystem of agent based tools.
seph
03/17/2022, 9:23 PM
Which spans both C level market analysis, and potentially deep osquery knowledge.
seph
03/17/2022, 9:25 PM
My sense here is that:
1. osquery is a good agent, for things it’s good at
2. Many things osquery will not be good at. For example, clockwork likely requires some keep kernel hooks, and very tight latency requirements
3. Many companies will eschew using an OSS or third party agent, thinking that they need to own the agent themselves. This is akin to build vs buy, or NIH, but also different
4. There might be a market place / ecosystem for some kind of common agent and plugins. Could be interesting to imagine.
👍 1
seph
03/17/2022, 9:26 PM
We do, somewhat, see osquery in a lot of random commercial EDR software. But there’s no real ecosystem there, since there is little incentive for the EDR vendors to play nice
m
Mike Myers
03/18/2022, 1:58 AMI would give osquery a B- for extensibility via its extensions and plugins interfaces, but a D+ for acting as a reusable library or dependency you can just wrap into your agent and ship
👍 1
s
seph
03/18/2022, 1:59 AM
I’d probably give it more than a D+, but it’s oriented around being a daemon not a library.
👍 2
m
Mike Myers
03/18/2022, 2:10 AMit does get point-in-time information well as
osqueryiosquerydMike Myers
03/18/2022, 2:11 AMyes, and, it's just something that maybe has to be explained better in the wiki, since a lot of vendors want osquery-as-a-library
👍 1
m
mikermcneil
03/18/2022, 2:13 AMAnything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully?
There's pretty good docs here, though it doesn't look "easy" yet, per se:
https://osquery.readthedocs.io/en/stable/development/osquery-sdk/#using-the-example-extension
m
Mike Myers
03/18/2022, 2:36 AMThere are some backlogged issues for improving it. But most are not for making it easier, that would be an area for suggestion. https://github.com/osquery/osquery/issues?q=is%3Aissue+is%3Aopen+label%3Aextensions
👍 1
ty 1
s
seph
03/19/2022, 1:10 PM
Anything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully?With a reasonable SDK (go, python, maybe even ruby. Not c++) IMO the real difficulty is in understanding the model for how everything works. Like, I can make a go extension in an hour. But I’m pretty deeply versed in the osquery ecosystem, so I’m not exactly an average user.
👍 1
seph
03/19/2022, 1:11 PM
A little bit, it’s akin to writing apache cgi scripts. Once you understand, it’s easy. But understanding takes awhile.
21 Views