mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00

History

Benjamin Edwards 879d02c219 add simple go osquery extension & readme to register orbit tables (#10795 ) closes https://github.com/fleetdm/fleet/issues/10708 New osquery extension & readme that describes how to build and get osqueryd to autoload.		2023-03-31 10:39:13 -04:00
..
fleetd_tables.go	add simple go osquery extension & readme to register orbit tables (#10795 )	2023-03-31 10:39:13 -04:00
README.md	add simple go osquery extension & readme to register orbit tables (#10795 )	2023-03-31 10:39:13 -04:00

README.md

Fleet osquery extensions without fleetd

If you are interested in getting some of the fleetd tables but cannot run fleetd natively then its possible to utilize this "fleetd_tables" extension with standalone osqueryd.

Building the extension

First run (note .ext is required for osquery):

go build -o fleetd_tables.ext fleetd_tables.go

or using the Makefile

make fleetd-tables-linux

Then move it somewhere osqueryd can load it:

sudo cp fleetd_tables.ext /usr/local/osquery_extensions

And tell osqueryd to autoload your extension

echo "/usr/local/osquery_extensions/fleetd_tables.ext" > /tmp/extensions.load

Finally, launch osqueryd

sudo osqueryd --extensions_autoload=/tmp/extensions.load

Local testing

Obtain the extensions_socket

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

Then run the app

go run ./fleetd_tables.go --socket /Users/USERNAME/.osquery/shell.em

Or you can build the app and have osqueryi load it

go build -o fleetd_tables.ext fleetd_tables.go
osqueryi --extension /path/to/fleetd_tables.ext