search

osquery / osquery-go

Go bindings for osquery
MIT License
386 stars 78 forks source link

When schedule Osquery packs in runtime config not getting callback #121

Open User2798 opened 9 months ago

User2798 commented 9 months ago

Issue - I created an osquery extension which includes a logger and a config plugin using osquery-go. Within this extension, I established a runtime config. When a scheduled query is triggered, it works fine. However, when Packs are utilized, it does not provide the expected callback.

Operating System - Windows 10 go version - go1.21.3

Code snippet

Flages :-

--disable_extensions=false 
 --disable_events=false
 --events_expiry=1 
 --events_optimize=true 
 --events_max=500000 
 --logger_plugin=testlogger 
--config_plugin=testconfig
 --extensions_timeout=600 
 --extensions_interval=5 
 --extensions_require=testextmgr
 --database_path="C:\Program Files\Test\testosqueryd.db" 
 --extensions_socket="\\.\pipe\testosquery.em"

Below is my runtime config :-

const configSchedule_processes string = `
{
   "schedule": {
   "processes": {
              "query": "SELECT * FROM processes;",
              "interval": 10
        }
   },
    "packs": {
        "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
    }  
}
`

Below are my logger and config function.

func LogString(ctx context.Context, typ logger.LogType, logText string) error {
        fmt.Println(logText)
        gCnt = gCnt + 1
        return nil
    }

    func ConfigCallback(ctx context.Context) (map[string]string, error) {
        return map[string]string{
            "config": configSchedule_processes,
        }, nil
    }

Output - Only getting callback for processes. Not getting any callback for packs. For now trying with only one config. But in real scenario we can use multiple files

What does windows-attacks.conf contain? Answer - This is general pack found on https://github.com/osquery/osquery/tree/master/packs

Few other observation - I am no expert in this. Learning Osquery. But, https://osquery.readthedocs.io/en/stable/development/config-plugins/

in this doc it say's osquery packs needs to be achieve by implementing virtual method in cpp. (Follow Additional overloads from above link)

In osquery-go it seems that only genConfig is handled genPack is not handled.

Can some one PLEASE help here? Thanks in advance.