Oleksii Siechko
03/05/2023, 3:50 PMJohn Speno
03/05/2023, 5:36 PMosqueryd
and your loaded extension will already be running with privileges so you may not need to throw sudo
into the mix.Oleksii Siechko
03/06/2023, 10:00 AMosqueryi --extension ...
because the extenstion should be running in the background from root due to sudo problems.
#!/bin/bash
result=$(osqueryi --nodisable_extensions --header=false --csv ".tables")
echo $resultJohn Speno
03/06/2023, 10:05 AMosqueryi
. Is that correct?Oleksii Siechko
03/06/2023, 10:06 AMJohn Speno
03/06/2023, 10:07 AMosqueryi
in the bash script?Oleksii Siechko
03/06/2023, 10:09 AMJohn Speno
03/06/2023, 10:11 AMosqueryi
, are you running that using sudo
? FYI: The --verbose
flag for osqueryi
may help.Oleksii Siechko
03/06/2023, 10:15 AMJohn Speno
03/06/2023, 10:19 AM--extensions_timeout=N
where you control how long it will wait for the extension to ready itself. Maybe this can help?Oleksii Siechko
03/06/2023, 10:20 AMJohn Speno
03/06/2023, 10:39 AMOleksii Siechko
03/06/2023, 11:38 AMselect * from my_table;
it triggers the extension to get data, and it takes permissions from my current user, not root.
Example:
osqueryi --nodisable_extensions
select * from my_table;
ERROR
sudo osqueryi --nodisable_extensions
select * from my_table;
Good result
server.RegisterPlugin(table.NewPlugin("ext", extColumns(), extGenerate))
John Speno
03/06/2023, 11:58 AMOleksii Siechko
03/06/2023, 12:02 PMJohn Speno
03/06/2023, 12:07 PMosqueryi
or osqueryd
. I suppose other OS level security controls might come into play here, like selinux
or something. I don't have much experience with those however.seph
03/06/2023, 3:19 PMOleksii Siechko
03/06/2023, 6:47 PMserver.RegisterPlugin(table.NewPlugin("ext", extColumns(), extGenerate))
extGenerate - performs bash command and output put into the table.
I've added this extension for osqueryd.
<array>
<string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
<string>--flagfile=/private/var/osquery/osquery.flags</string>
<string>--extensions_autoload=/var/osquery/extensions.load</string>
<string>--extensions_timeout=5</string>
</array>
The extensions.load file:
/usr/local/osquery_extensions/my_table.ext
So, when I run osqueryi without sudo, the extension fails to put data into the table. When I run sudo osqueryi - it works correctly.
osqueryi version 5.7.0John Speno
03/06/2023, 7:04 PMbash
command work properly when not run with sudo
?Oleksii Siechko
03/06/2023, 7:48 PMJohn Speno
03/06/2023, 7:51 PMosqueryi
or osqueryd
must be run as root because the extension would be started by whichever you are using.osqueryd
is running as root so that's not an issue. With osqueryi
, it will depend on what you need to do with it.Oleksii Siechko
03/06/2023, 8:51 PMJohn Speno
03/06/2023, 11:04 PMosqueri
runs its own copy of the extension, distinct from what osqueryd
is doing.Stefano Bonicatti
03/07/2023, 9:16 AMosqueryi
is not a shell to a daemon running; osqueryi
is just the osqueryd
binary renamed/linked as such (or you can launch the same functionality with osqueryd -S
). It’s just that it lets you do queries immediately, provided from stdin and has no logging or scheduler funcionality.