Hello guys, Im a newbie in osquery. Look, I have a question. I need to develop osquery new custom table where I can put my data. Also, from the plugin, I need to run the bash command with sudo and output from the command put into a table. It should be running in the background. Later, from another tool that doesn't have sudo permissions grab information from osquery table. Does it possible or not?

You can pretty much do anything in your extension's code, but wether or not you should is another issue. Maybe you can show the command you think you need to run if you'd like further input on that strategy. If not, I think the answer to your main question is yes. One note is that

osqueryd

and your loaded extension will already be running with privileges so you may not need to throw

sudo

into the mix.

Thank you! Yes, I've implemented the extension and it works. But when I run it with the bash script, my table doesn't appear. When I run osqueryi and then perform a query in the application, I receive the data. Note, I can't run it

osqueryi --extension ...

because the extenstion should be running in the background from root due to sudo problems. #!/bin/bash result=$(osqueryi --nodisable_extensions --header=false --csv ".tables") echo $result

I think it sounds like the extension works if you query the table the extension implements in

osqueryi

. Is that correct?

Yes

Does it work when you run

osqueryi

in the bash script?

Nope, when I run the script I've provided, there is no table in output .tables. And also, when I run exact query, it returns that the table does not exist;

When it works from

osqueryi

, are you running that using

sudo

? FYI: The

--verbose

flag for

osqueryi

may help.

With verbose flag, it looks like that extension needs more time to register in osquery. In both cases I receive Created and monitoring extension child (77338): /usr/local/osquery_extensions/my_table.ext. But when I run it from terminal, not script, I also receive log Registering extension (ext-ext, 35379, version=, sdk=)

I believe there are some other flags like

--extensions_timeout=N

where you control how long it will wait for the extension to ready itself. Maybe this can help?

Gotcha, will check! Thanks.

Slava Ukraini!

I've added --extensions_require=sentinelctl flag, and now it works perfectly. But one more question, probably the last one, what are the permissions provided by default to an extension? Because I found that it should be run as root. But when I run the bash command from the extension, I receive the error same as I run my command without sudo, that should never happen because we are under root. I think when I perform query

select * from my_table;

it triggers the extension to get data, and it takes permissions from my current user, not root. Example:

osqueryi --nodisable_extensions
select * from my_table;
ERROR
sudo osqueryi --nodisable_extensions
select * from my_table;
Good result

There is some documentation on permissions related to an extension's on disk file here: https://osquery.readthedocs.io/en/stable/deployment/extensions/#extensions-binary-permissions but I'm not sure if that helps here.

I saw this part, but unfortunately, it doesn't help me cause the documentation is more about extension file permissions. Not extension running.

As far as I know, extensions run with the same permissions as the process that loads them, i.e.

osqueryi

or

osqueryd

. I suppose other OS level security controls might come into play here, like

selinux

or something. I don't have much experience with those however.

osquery doesn’t do anything special. If osquery is running as root, the extensions it starts will as well. If it’s not running as root, then they’ll be executed with whatever permissions osquery has. This is true for extensions started in osqueryi and osqueryd

@seph Do you know what might be an issue here:

server.RegisterPlugin(table.NewPlugin("ext", extColumns(), extGenerate))

extGenerate - performs bash command and output put into the table. I've added this extension for osqueryd.

<array>
    <string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
    <string>--flagfile=/private/var/osquery/osquery.flags</string>
    <string>--extensions_autoload=/var/osquery/extensions.load</string>
    <string>--extensions_timeout=5</string>
  </array>

The extensions.load file:

/usr/local/osquery_extensions/my_table.ext

So, when I run osqueryi without sudo, the extension fails to put data into the table. When I run sudo osqueryi - it works correctly. osqueryi version 5.7.0

does the

bash

command work properly when not run with

sudo

?

In terminal? No, because this command requires sudo permissions

Then I think that answers the question, right? If the command needs to run as root, then when the command is run from the extension, it will also need to run as root. Therefore,

osqueryi

or

osqueryd

must be run as root because the extension would be started by whichever you are using.

That's an answer, probably yes. I thought, that the extension runs from osqueryd (which is run from root) and using osqueryi I can get info from this plugin.

osqueri

runs its own copy of the extension, distinct from what

osqueryd

is doing.

Yeah this is a common misconception,

osqueryi

is not a shell to a daemon running;

osqueryi

is just the

osqueryd

binary renamed/linked as such (or you can launch the same functionality with

osqueryd -S

). It’s just that it lets you do queries immediately, provided from stdin and has no logging or scheduler funcionality.