mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00

Benjamin Edwards 879d02c219

add simple go osquery extension & readme to register orbit tables (#10795 )

closes https://github.com/fleetdm/fleet/issues/10708

New osquery extension & readme that describes how to build and get
osqueryd to autoload.

2023-03-31 10:39:13 -04:00

1.4 KiB

Raw Blame History

Fleet osquery extensions without fleetd

If you are interested in getting some of the fleetd tables but cannot run fleetd natively then its possible to utilize this "fleetd_tables" extension with standalone osqueryd.

Building the extension

First run (note .ext is required for osquery):

go build -o fleetd_tables.ext fleetd_tables.go

or using the Makefile

make fleetd-tables-linux

Then move it somewhere osqueryd can load it:

sudo cp fleetd_tables.ext /usr/local/osquery_extensions

And tell osqueryd to autoload your extension

echo "/usr/local/osquery_extensions/fleetd_tables.ext" > /tmp/extensions.load

Finally, launch osqueryd

sudo osqueryd --extensions_autoload=/tmp/extensions.load

Local testing

Obtain the extensions_socket

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

Then run the app

go run ./fleetd_tables.go --socket /Users/USERNAME/.osquery/shell.em

Or you can build the app and have osqueryi load it

go build -o fleetd_tables.ext fleetd_tables.go
osqueryi --extension /path/to/fleetd_tables.ext

1.4 KiB Raw Blame History

Fleet osquery extensions without fleetd

Building the extension

Local testing

1.4 KiB

Raw Blame History