Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
g
Gilad Reich
02/01/2023, 8:51 AMHello everyone! đź‘‹
Maybe a quick question; is it possible to load a custom Osquery extension via the
osquery.confosqueryd --helpextensions_*osquery command line flagsosquery configuration options (set by config or CLI flags)z
zwass
02/01/2023, 5:46 PMIf you want to autoload an extension, you need to specify that in the CLI flags. You could however just start up your extension process separately and have it try to connect to osquery. Might that work?
g
Gilad Reich
02/01/2023, 7:41 PMHi @zwass, many thanks for your help.
The problem is that Wazuh starting Osquery as a child-process. So I need to tell Osquery somehow to auto-load my custom extension from a specific path in disk whenever it started.
I saw the approach of starting the extension with a given path to Osquery’s socket, but the idea is that without touching anything, whenever Osquery process starts, it knows that it needs to load the extension.
Before I go down the long road, one possibility for me would be to implement that in Osquery codebase myself to load such configuration and make it load the extension. But then I would have to take care of packaging for macOS (signing & notarizing), Linux and Windows.
I was thinking it would make sense to add to the
optionsosquery.conf"options": {
"extensions": [
"path/to/extension1",
"path/to/extension2"
],
},"options": {
"extensions_dir": "path/to/dir/with/extensions"
},Even ugly hacks will be welcomed!
Found one way to solve this. In
extensions.cppCLI_FLAG(string,
extensions_autoload,
OSQUERY_HOME "extensions.load",
"Optional path to a list of autoloaded & managed extensions");OSQUERY_HOME#if defined(__linux__)
#define OSQUERY_HOME "/etc/osquery/"
#define OSQUERY_DB_HOME "/var/osquery/"
#define OSQUERY_SOCKET OSQUERY_DB_HOME
#define OSQUERY_PIDFILE "/var/run/"
#define OSQUERY_LOG_HOME "/var/log/osquery/"
#define OSQUERY_CERTS_HOME "/opt/osquery/share/osquery/certs/"
#elif defined(WIN32)
#define OSQUERY_HOME "\\Program Files\\osquery\\"
#define OSQUERY_DB_HOME OSQUERY_HOME
#define OSQUERY_SOCKET "\\\\.\\pipe\\"
#define OSQUERY_PIDFILE OSQUERY_DB_HOME
#define OSQUERY_LOG_HOME OSQUERY_HOME "log\\"
#define OSQUERY_CERTS_HOME OSQUERY_HOME "certs\\"
#elif defined(FREEBSD)
#define OSQUERY_HOME "/var/db/osquery/"
#define OSQUERY_DB_HOME OSQUERY_HOME
#define OSQUERY_SOCKET "/var/run/"
#define OSQUERY_PIDFILE "/var/run/"
#define OSQUERY_LOG_HOME "/var/log/osquery/"
#define OSQUERY_CERTS_HOME "/etc/ssl/"
#else
#define OSQUERY_HOME "/var/osquery/"
#define OSQUERY_DB_HOME OSQUERY_HOME
#define OSQUERY_SOCKET OSQUERY_DB_HOME
#define OSQUERY_PIDFILE OSQUERY_DB_HOME
#define OSQUERY_LOG_HOME "/var/log/osquery/"
#define OSQUERY_CERTS_HOME OSQUERY_HOME "certs/"
#endifextensions.load/var/osqueryln -s /My/Custom/Path/osquery /var/osqueryextensions.loadz
zwass
02/01/2023, 9:46 PMIt needs to be done as part of the startup flags because there can be config extensions that need to be loaded for startup to complete.
g
Gilad Reich
02/01/2023, 10:29 PMFrom what I’ve seen in code, the options section is loaded first.
As another (maybe better) alternative; creating the
osquery.flags.default--extension=/path/to/ext/myext.exts
seph
02/05/2023, 4:30 PMoptions are split between config flags, and CLI-only flags mostly because of osquery startup sequencing. (And some concern about forcing features to be disabled outside of configuration)
There may be flags that could move from one set to the other, but I would recommend discussion about it before making a PR.
I’m not sure I understand why you’re complaining about hardcoded defaults. At some level, these things need to be set for startup to succeed. So either they get hardcoded, or you block startup for bad or missing configuration.
As documented in https://osquery.readthedocs.io/en/stable/installation/cli-flags/ there is a
--flagfileIf no --flagfile is provided, osquery will try to find and use a "default" flagfile at /etc/osquery/osquery.flags.default. Both the shell and daemon will discover and use the defaults.At least partly, it sounds like wazuh should really expose things.
g
Gilad Reich
02/05/2023, 4:38 PMoptions are split between config flags, and CLI-only flags mostly because of osquery startup sequencing. (And some concern about forcing features to be disabled outside of configuration)Thanks @seph. Yeah, I realized while digging into the sequencing of loading things. There is still some inconsistency there though; like there are some options that are not documented as startup flags, but could be used in both scenarios. As an example, take a look at
logger_paths
seph
02/05/2023, 4:39 PMOne is a subset. There are FLAGS which can be in the config, or command line (or I assume flagfile, but I don’t know for sure)
And there are CLI_FLAGS, which are cli or flag file only.
g
Gilad Reich
02/05/2023, 4:39 PMThe main trigger that motivated me to dig into this topic, is because of Wazuh limitation in the current design, which I created a proposal for them: https://github.com/wazuh/wazuh/issues/16085
s
seph
02/05/2023, 4:40 PMosqueryd --helpYou may also need to think about when osquery needs to be restarted after those change. But I don’t know much about wazuh.
g
Gilad Reich
02/05/2023, 4:41 PMI also wished Osquery had a startup flag to override the hardcoded preprocessor
OSQUERY_HOMEosqueryd --home_dir my/custom/paths
seph
02/05/2023, 4:42 PMI also wished Osquery had a startup flag to override the hardcoded preprocessor OSQUERY_HOME dir.yeah, I agree. that does seem reasonable. I have no idea how easy it would be to implement, It might be trivial, or it might have sprawling effects on startup
g
Gilad Reich
02/05/2023, 4:43 PMsplits them into sections:osqueryd --help
• osquery command line flags
• osquery configuration options (set by config or CLI flags)Exactly, and some flags are in the configuration options section, but I can also override them as in startup flags as the case with the
logger_paths
seph
02/05/2023, 4:46 PMI don’t understand the inconsistency you’re calling out.
g
Gilad Reich
02/05/2023, 4:56 PMIf we look at the two sections when running
osqueryd --helposqueryd--flagfileosquery.confosquery.conflogger_pathosqueryd --logger_path my/custom/paths
seph
02/05/2023, 5:09 PMThat sounds like the inverse.
Most flags can be set in the config, or passed on the CLI. Since they can be set in the config, they are also controllable by a remote TLS server
Some flags, either because they’re important for startup or because they’re deemed privacy sensitive, cannot be set by the TLS controlled server. But they can just as well be set on the command line.
(I’m going idle. I’ll catch up here eventually)
g
Gilad Reich
02/05/2023, 5:17 PMI see, that makes sense.
Some flags, either because they’re important for startup or because they’re deemed privacy sensitive, cannot be set by the TLS controlled server. But they can just as well be set on the command line.That’s exactly the part that could be documented better per option/flag, since checking the docs I was under the assumption that whatever I see in the options section can’t be provided as startup flags, until I tried out.
Many thanks for the insights and your time, @seph!