Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When schedule Osquery packs in runtime config not getting callback #121

Open
User2798 opened this issue Dec 16, 2023 · 0 comments
Open

When schedule Osquery packs in runtime config not getting callback #121

User2798 opened this issue Dec 16, 2023 · 0 comments

Comments

@User2798
Copy link

User2798 commented Dec 16, 2023
edited
Loading

Issue - I created an osquery extension which includes a logger and a config plugin using osquery-go. Within this extension, I established a runtime config. When a scheduled query is triggered, it works fine. However, when Packs are utilized, it does not provide the expected callback.

Operating System - Windows 10
go version - go1.21.3

Code snippet

Flages :-

--disable_extensions=false 
 --disable_events=false
 --events_expiry=1 
 --events_optimize=true 
 --events_max=500000 
 --logger_plugin=testlogger 
--config_plugin=testconfig
 --extensions_timeout=600 
 --extensions_interval=5 
 --extensions_require=testextmgr
 --database_path="C:\Program Files\Test\testosqueryd.db" 
 --extensions_socket="\\.\pipe\testosquery.em"

Below is my runtime config :-

const configSchedule_processes string = `
{
   "schedule": {
   "processes": {
			  "query": "SELECT * FROM processes;",
			  "interval": 10
		}
   },
    "packs": {
        "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
    }  
}
`

Below are my logger and config function.

func LogString(ctx context.Context, typ logger.LogType, logText string) error {
        fmt.Println(logText)
        gCnt = gCnt + 1
        return nil
    }
    
    func ConfigCallback(ctx context.Context) (map[string]string, error) {
        return map[string]string{
            "config": configSchedule_processes,
        }, nil
    }

Output -
Only getting callback for processes. Not getting any callback for packs. For now trying with only one config. But in real scenario we can use multiple files

What does windows-attacks.conf contain?
Answer - This is general pack found on https://github.com/osquery/osquery/tree/master/packs

Few other observation -
I am no expert in this. Learning Osquery.
But,
https://osquery.readthedocs.io/en/stable/development/config-plugins/

in this doc it say's osquery packs needs to be achieve by implementing virtual method in cpp. (Follow Additional overloads from above link)

In osquery-go it seems that only genConfig is handled genPack is not handled.

Can some one PLEASE help here?
Thanks in advance.
@User2798 User2798 changed the title When schedule Osquery packs in conf format not getting callback When schedule Osquery packs in runtime config not getting callback Dec 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@User2798