Jan Niklas Richter

01/16/2023, 11:10 AM
2. Is there any way to extend/modify the way how policies are evaluated? Just a (not necessarily good) example: Imagine I want to implement a policy "Are all deb_packages up to date?" (independent of the vulnerabilities). Osquery can only answer with the current version of all applications, so in the serverside analysis of the result of the policy we would need to fetch the available versions from the apt-sources and then compare. However I havent seen a way to extend or code the evaluation of policies. Maybe a "plugin/extension" mechanism would solve this. Is there such a thing planned?

Kathy Satterlee

01/16/2023, 7:33 PM
Hi. This isn't something currently on the roadmap, but I can definitely bring it to the team. One way to accomplish this now would be to set up a script that would periodically check the current versions of key software and update policies in Fleet accordingly.

Jan Niklas Richter

01/16/2023, 8:32 PM
Thanks! I agree that this would solve this specific example, but I was just thinking about more general extensibility, because there might be more policies where you need to combine output of OSquery and outside knowledge (checked from web, or calculated over multiple fields or computed from a server in your network)