https://github.com/osquery/osquery logo
Powered by
#extensions
Title
# extensions
m

mikermcneil

03/17/2022, 1:56 AM
Do osquery extensions enable an ecosystem/platform for vendors like this who want to hook into an existing agent without writing their own? If so, what docs, extension-loader error messages, extension linting/tools for extension devs, and tutorials are we missing to make it dead simple? https://techcrunch.com/2022/03/16/clockwork-raises-21m-to-keep-server-clocks-in-sync/
s

seph

03/17/2022, 9:22 PM
I am flabbergasted that an NTP replacement got 21million in funding.
But anyhow. I’m not really sure about your question. It seems to be about whether osquery could be a part of some larger ecosystem of agent based tools.
Which spans both C level market analysis, and potentially deep osquery knowledge.
My sense here is that: 1. osquery is a good agent, for things it’s good at 2. Many things osquery will not be good at. For example, clockwork likely requires some keep kernel hooks, and very tight latency requirements 3. Many companies will eschew using an OSS or third party agent, thinking that they need to own the agent themselves. This is akin to build vs buy, or NIH, but also different 4. There might be a market place / ecosystem for some kind of common agent and plugins. Could be interesting to imagine.
👍 1
We do, somewhat, see osquery in a lot of random commercial EDR software. But there’s no real ecosystem there, since there is little incentive for the EDR vendors to play nice
m

Mike Myers

03/18/2022, 1:58 AM
I would give osquery a B- for extensibility via its extensions and plugins interfaces, but a D+ for acting as a reusable library or dependency you can just wrap into your agent and ship
👍 1
s

seph

03/18/2022, 1:59 AM
I’d probably give it more than a D+, but it’s oriented around being a daemon not a library.
👍 2
m

Mike Myers

03/18/2022, 2:10 AM
it does get point-in-time information well as 
osqueryi
but to get events, better to be used as 
osqueryd
which is when the "building on top of osquery" gets difficult
yes, and, it's just something that maybe has to be explained better in the wiki, since a lot of vendors want osquery-as-a-library
👍 1
m

mikermcneil

03/18/2022, 2:13 AM
Anything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully? There's pretty good docs here, though it doesn't look "easy" yet, per se: https://osquery.readthedocs.io/en/stable/development/osquery-sdk/#using-the-example-extension
m

Mike Myers

03/18/2022, 2:36 AM
There are some backlogged issues for improving it. But most are not for making it easier, that would be an area for suggestion. https://github.com/osquery/osquery/issues?q=is%3Aissue+is%3Aopen+label%3Aextensions
👍 1
ty 1
s

seph

03/19/2022, 1:10 PM
Anything come to mind as far as a low-hanging fruit for making it easier for anyone to build and use their own extensions successfully?
With a reasonable SDK (go, python, maybe even ruby. Not c++) IMO the real difficulty is in understanding the model for how everything works. Like, I can make a go extension in an hour. But I’m pretty deeply versed in the osquery ecosystem, so I’m not exactly an average user.
👍 1
A little bit, it’s akin to writing apache cgi scripts. Once you understand, it’s easy. But understanding takes awhile.
19 Views
Powered by