mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00

History

Lucas Manuel Rodriguez 7a33a108cb Add `--verbose` flag to `fleetd_tables` (needed when `osqueryd` runs in verbose mode) (#12504 ) Found while load testing the macOS CIS benchmark policy queries using `fleetd_tables` as an extension (#10292). Basically, osqueryd passes the `--verbose` flag to the extension, so we need to add it here to not fail the extension execution.		2023-06-27 10:42:48 -03:00
..
fleetd_tables.go	Add `--verbose` flag to `fleetd_tables` (needed when `osqueryd` runs in verbose mode) (#12504 )	2023-06-27 10:42:48 -03:00
README.md	add simple go osquery extension & readme to register orbit tables (#10795 )	2023-03-31 10:39:13 -04:00

README.md

Fleet osquery extensions without fleetd

If you are interested in getting some of the fleetd tables but cannot run fleetd natively then its possible to utilize this "fleetd_tables" extension with standalone osqueryd.

Building the extension

First run (note .ext is required for osquery):

go build -o fleetd_tables.ext fleetd_tables.go

or using the Makefile

make fleetd-tables-linux

Then move it somewhere osqueryd can load it:

sudo cp fleetd_tables.ext /usr/local/osquery_extensions

And tell osqueryd to autoload your extension

echo "/usr/local/osquery_extensions/fleetd_tables.ext" > /tmp/extensions.load

Finally, launch osqueryd

sudo osqueryd --extensions_autoload=/tmp/extensions.load

Local testing

Obtain the extensions_socket

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

Then run the app

go run ./fleetd_tables.go --socket /Users/USERNAME/.osquery/shell.em

Or you can build the app and have osqueryi load it

go build -o fleetd_tables.ext fleetd_tables.go
osqueryi --extension /path/to/fleetd_tables.ext