https://github.com/osquery/osquery logo
Title
o

Oleksii Siechko

03/05/2023, 3:50 PM
Hello guys, Im a newbie in osquery. Look, I have a question. I need to develop osquery new custom table where I can put my data. Also, from the plugin, I need to run the bash command with sudo and output from the command put into a table. It should be running in the background. Later, from another tool that doesn't have sudo permissions grab information from osquery table. Does it possible or not?
j

John Speno

03/05/2023, 5:36 PM
You can pretty much do anything in your extension's code, but wether or not you should is another issue. Maybe you can show the command you think you need to run if you'd like further input on that strategy. If not, I think the answer to your main question is yes. One note is that
osqueryd
and your loaded extension will already be running with privileges so you may not need to throw
sudo
into the mix.
o

Oleksii Siechko

03/06/2023, 10:00 AM
Thank you! Yes, I've implemented the extension and it works. But when I run it with the bash script, my table doesn't appear. When I run osqueryi and then perform a query in the application, I receive the data. Note, I can't run it
osqueryi --extension ...
because the extenstion should be running in the background from root due to sudo problems. #!/bin/bash result=$(osqueryi --nodisable_extensions --header=false --csv ".tables") echo $result
j

John Speno

03/06/2023, 10:05 AM
I think it sounds like the extension works if you query the table the extension implements in
osqueryi
. Is that correct?
o

Oleksii Siechko

03/06/2023, 10:06 AM
Yes
j

John Speno

03/06/2023, 10:07 AM
Does it work when you run
osqueryi
in the bash script?
o

Oleksii Siechko

03/06/2023, 10:09 AM
Nope, when I run the script I've provided, there is no table in output .tables. And also, when I run exact query, it returns that the table does not exist;
j

John Speno

03/06/2023, 10:11 AM
When it works from
osqueryi
, are you running that using
sudo
? FYI: The
--verbose
flag for
osqueryi
may help.
o

Oleksii Siechko

03/06/2023, 10:15 AM
With verbose flag, it looks like that extension needs more time to register in osquery. In both cases I receive Created and monitoring extension child (77338): /usr/local/osquery_extensions/my_table.ext. But when I run it from terminal, not script, I also receive log Registering extension (ext-ext, 35379, version=, sdk=)
j

John Speno

03/06/2023, 10:19 AM
I believe there are some other flags like
--extensions_timeout=N
where you control how long it will wait for the extension to ready itself. Maybe this can help?
o

Oleksii Siechko

03/06/2023, 10:20 AM
Gotcha, will check! Thanks.
j

John Speno

03/06/2023, 10:39 AM
Slava Ukraini!
o

Oleksii Siechko

03/06/2023, 11:38 AM
I've added --extensions_require=sentinelctl flag, and now it works perfectly. But one more question, probably the last one, what are the permissions provided by default to an extension? Because I found that it should be run as root. But when I run the bash command from the extension, I receive the error same as I run my command without sudo, that should never happen because we are under root. I think when I perform query
select * from my_table;
it triggers the extension to get data, and it takes permissions from my current user, not root. Example:
osqueryi --nodisable_extensions
select * from my_table;
ERROR
sudo osqueryi --nodisable_extensions
select * from my_table;
Good result
As far as I understand it, we trigger every time code extGenerate. (Golang)
server.RegisterPlugin(table.NewPlugin("ext", extColumns(), extGenerate))
j

John Speno

03/06/2023, 11:58 AM
There is some documentation on permissions related to an extension's on disk file here: https://osquery.readthedocs.io/en/stable/deployment/extensions/#extensions-binary-permissions but I'm not sure if that helps here.
o

Oleksii Siechko

03/06/2023, 12:02 PM
I saw this part, but unfortunately, it doesn't help me cause the documentation is more about extension file permissions. Not extension running.
j

John Speno

03/06/2023, 12:07 PM
As far as I know, extensions run with the same permissions as the process that loads them, i.e.
osqueryi
or
osqueryd
. I suppose other OS level security controls might come into play here, like
selinux
or something. I don't have much experience with those however.
Hopefully someone else in the community can see this discussion and offer some advice. I'm new here also. đź‘‹
Anyone else have ideas for this issue?
s

seph

03/06/2023, 3:19 PM
osquery doesn’t do anything special. If osquery is running as root, the extensions it starts will as well. If it’s not running as root, then they’ll be executed with whatever permissions osquery has. This is true for extensions started in osqueryi and osqueryd
o

Oleksii Siechko

03/06/2023, 6:47 PM
@seph Do you know what might be an issue here:
server.RegisterPlugin(table.NewPlugin("ext", extColumns(), extGenerate))
extGenerate - performs bash command and output put into the table. I've added this extension for osqueryd.
<array>
    <string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
    <string>--flagfile=/private/var/osquery/osquery.flags</string>
    <string>--extensions_autoload=/var/osquery/extensions.load</string>
    <string>--extensions_timeout=5</string>
  </array>
The extensions.load file:
/usr/local/osquery_extensions/my_table.ext
So, when I run osqueryi without sudo, the extension fails to put data into the table. When I run sudo osqueryi - it works correctly. osqueryi version 5.7.0
j

John Speno

03/06/2023, 7:04 PM
does the
bash
command work properly when not run with
sudo
?
o

Oleksii Siechko

03/06/2023, 7:48 PM
In terminal? No, because this command requires sudo permissions
j

John Speno

03/06/2023, 7:51 PM
Then I think that answers the question, right? If the command needs to run as root, then when the command is run from the extension, it will also need to run as root. Therefore,
osqueryi
or
osqueryd
must be run as root because the extension would be started by whichever you are using.
Normally,
osqueryd
is running as root so that's not an issue. With
osqueryi
, it will depend on what you need to do with it.
o

Oleksii Siechko

03/06/2023, 8:51 PM
That's an answer, probably yes. I thought, that the extension runs from osqueryd (which is run from root) and using osqueryi I can get info from this plugin.
j

John Speno

03/06/2023, 11:04 PM
osqueri
runs its own copy of the extension, distinct from what
osqueryd
is doing.
s

Stefano Bonicatti

03/07/2023, 9:16 AM
Yeah this is a common misconception,
osqueryi
is not a shell to a daemon running;
osqueryi
is just the
osqueryd
binary renamed/linked as such (or you can launch the same functionality with
osqueryd -S
). It’s just that it lets you do queries immediately, provided from stdin and has no logging or scheduler funcionality.