fleet/pkg/osquery/osquery.go

package osquery

import (
	"context"
	"os"
	"os/exec"
	"time"

	"github.com/fleetdm/orbit/pkg/process"
	"github.com/pkg/errors"
	"github.com/rs/zerolog/log"
)

type Runner struct {
	proc   *process.Process
	cmd    *exec.Cmd
	cancel func()
}

func NewRunner(options ...func(*Runner) error) (*Runner, error) {
	r := &Runner{}

	// TODO set path and flags appropriately
	cmd := exec.Command(
		"osqueryd",
		"--pidfile=/tmp/osquery.pid",
		"--database_path=/tmp/osquery.test.db",
		"--extensions_socket=/tmp/osquery.em",
		"--config_path=/tmp/osquery.conf",
		"--logger_path=/tmp",
	)
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr

	r.cmd = cmd
	r.proc = process.NewWithCmd(cmd)

	for _, option := range options {
		err := option(r)
		if err != nil {
			return nil, errors.Wrap(err, "apply option")
		}
	}

	return r, nil
}

func WithFlags(flags []string) func(*Runner) error {
	return func(r *Runner) error {
		r.cmd.Args = append(r.cmd.Args, flags...)
		return nil
	}
}

func WithEnv(env []string) func(*Runner) error {
	return func(r *Runner) error {
		r.cmd.Env = append(r.cmd.Env, env...)
		return nil
	}
}

func WithPath(path string) func(*Runner) error {
	return func(r *Runner) error {
		r.cmd.Path = path
		return nil
	}
}

// WithShell adds the -S flag to run an osqueryi shell.
func WithShell() func(*Runner) error {
	return func(r *Runner) error {
		r.cmd.Args = append(r.cmd.Args, "-S")
		r.cmd.Stdout = os.Stdout
		r.cmd.Stderr = os.Stderr
		r.cmd.Stdin = os.Stdin
		return nil
	}
}

func (r *Runner) Execute() error {
	log.Debug().Str("cmd", r.cmd.String()).Msg("Run osquery")

	ctx, cancel := context.WithCancel(context.Background())
	r.cancel = cancel

	if err := r.proc.Start(); err != nil {
		return errors.Wrap(err, "start osquery")
	}

	if err := r.proc.StopOrKill(ctx, 10*time.Second); err != nil {
		return errors.Wrap(err, "osquery exited with error")
	}

	return errors.New("osquery exited unexpectedly")
}

func (r *Runner) Interrupt(err error) {
	log.Debug().Msg("interrupt osquery")
	r.cancel()
}
Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`package osquery`

			`import (`
			`"context"`
			`"os"`
			`"os/exec"`
			`"time"`

Rename src subdirectory to pkg This makes directory naming consistent with Fleet. 2020-12-21 23:57:38 +00:00			`"github.com/fleetdm/orbit/pkg/process"`
Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`"github.com/pkg/errors"`
Refactor logging to use zerolog 2021-01-14 02:21:25 +00:00			`"github.com/rs/zerolog/log"`
Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`)`

			`type Runner struct {`
			`proc *process.Process`
			`cmd *exec.Cmd`
			`cancel func()`
			`}`

Add flags for connecting to Fleet server Connection only works currently if the Fleet server has a TLS cert that is trusted by osquery. 2020-12-17 22:48:12 +00:00			`func NewRunner(options ...func(Runner) error) (Runner, error) {`
Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`r := &Runner{}`

			`// TODO set path and flags appropriately`
			`cmd := exec.Command(`
			`"osqueryd",`
			`"--pidfile=/tmp/osquery.pid",`
			`"--database_path=/tmp/osquery.test.db",`
			`"--extensions_socket=/tmp/osquery.em",`
			`"--config_path=/tmp/osquery.conf",`
			`"--logger_path=/tmp",`
			`)`
			`cmd.Stdout = os.Stdout`
			`cmd.Stderr = os.Stderr`

			`r.cmd = cmd`
			`r.proc = process.NewWithCmd(cmd)`

Add flags for connecting to Fleet server Connection only works currently if the Fleet server has a TLS cert that is trusted by osquery. 2020-12-17 22:48:12 +00:00			`for _, option := range options {`
			`err := option(r)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "apply option")`
			`}`
			`}`

Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`return r, nil`
			`}`

Add flags for connecting to Fleet server Connection only works currently if the Fleet server has a TLS cert that is trusted by osquery. 2020-12-17 22:48:12 +00:00			`func WithFlags(flags []string) func(*Runner) error {`
			`return func(r *Runner) error {`
			`r.cmd.Args = append(r.cmd.Args, flags...)`
			`return nil`
			`}`
			`}`

Allow setting osquery environment This enables setting the enroll secret, and therefore the started osquery process can actually enroll with Fleet. 2020-12-18 17:36:06 +00:00			`func WithEnv(env []string) func(*Runner) error {`
			`return func(r *Runner) error {`
			`r.cmd.Env = append(r.cmd.Env, env...)`
			`return nil`
			`}`
			`}`

Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`func WithPath(path string) func(*Runner) error {`
			`return func(r *Runner) error {`
			`r.cmd.Path = path`
			`return nil`
			`}`
			`}`

Add shell subcommand 2021-01-14 01:00:46 +00:00			`// WithShell adds the -S flag to run an osqueryi shell.`
			`func WithShell() func(*Runner) error {`
			`return func(r *Runner) error {`
			`r.cmd.Args = append(r.cmd.Args, "-S")`
			`r.cmd.Stdout = os.Stdout`
			`r.cmd.Stderr = os.Stderr`
			`r.cmd.Stdin = os.Stdin`
			`return nil`
			`}`
			`}`

Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`func (r *Runner) Execute() error {`
Refactor logging to use zerolog 2021-01-14 02:21:25 +00:00			`log.Debug().Str("cmd", r.cmd.String()).Msg("Run osquery")`

Add PoC autoupdate functionality This demonstrates the ability to download the verified "stable" version of osquery and execute it with the given flags. 2021-01-13 03:00:16 +00:00			`ctx, cancel := context.WithCancel(context.Background())`
			`r.cancel = cancel`

Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`if err := r.proc.Start(); err != nil {`
			`return errors.Wrap(err, "start osquery")`
			`}`

			`if err := r.proc.StopOrKill(ctx, 10*time.Second); err != nil {`
			`return errors.Wrap(err, "osquery exited with error")`
			`}`

			`return errors.New("osquery exited unexpectedly")`
			`}`

			`func (r *Runner) Interrupt(err error) {`
Refactor logging to use zerolog 2021-01-14 02:21:25 +00:00			`log.Debug().Msg("interrupt osquery")`
Add initial pattern for osquery execution 2020-12-17 03:24:23 +00:00			`r.cancel()`
			`}`