https://github.com/osquery/osquery logo
#fleet
Title
# fleet
t

tokcum

03/09/2023, 11:22 PM
Hi, reviewing our Software inventory in fleet, I've came across some browser extensions which I found, looking at their names, inappropriate in a corporate environment. The investigation showed that those extensions were "just" themes. Technically osquery lists all extensions in
chrome_extensions
and fleet uses this table to fill the software inventory. However, from a security perspective a theme is a different story then code run by the browser and interacting with the user. So, I was wondering if it's possible to differentiate the two. I've not found a dedicated column for this in
chrome_extensions
, but looking into the extensions
manifest_json
provided an opportunity.
Copy code
SELECT
  name AS name,
  version AS version,
  'Browser theme (Chrome)' AS type,
FROM users CROSS JOIN chrome_extensions USING (uid)
WHERE json_extract(manifest_json, '$.theme') <> ''
It would be great if fleet good differentiate "full blown extensions" from "just a theme". Not sure if my initial approach is a good fit and covers all scenarios. Maybe there are extensions which are both. I've also seen extensions which just provide a background. Maybe they have no
theme
in their manifest. Looking forward to a discussion of this topic and hopefully this is valueable enough to find a way into fleet. :)
c

clong

03/09/2023, 11:57 PM
Technically osquery lists all extensions in chrome_extensions and fleet uses this table to fill the software inventory. However, from a security perspective a theme is a different story then code run by the browser and interacting with the user.
Does the theme get installed as an extension? Regardless of what the extension does (apply a theme, for example), it's still a chrome extension
t

tokcum

03/13/2023, 10:36 AM
Yes, themes are installed as extensions. I think it would be great if we were able to differentiate extensions which just provide themes / backgrounds from other extensions.
Here is an example of extensions I've found with my approach, some of them having names from games. Because of the names, this caught my attention, initially.
r

roberto

03/13/2023, 11:31 AM
hey! thanks for bringing this up! I have asked the team what is the best way to move this discussion forward (so it doesn't get silently lost here) will let you know when I know more
Got an answer: the best way to ask for feature requests is by opening an issue in GitHub, if you don't have time just lmk and I can do that for you with the info you provided
t

tokcum

03/17/2023, 11:22 AM
Thanks, Roberto, I'll raise an issue on Github shortly.