def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.8.0", min_sdk_version="1.8.0"): """Start your extension by communicating with osquery core and starting a thrift server. Keyword arguments: name -- the name of your extension version -- the version of your extension sdk_version -- the version of the osquery SDK used to build this extension min_sdk_version -- the minimum version of the osquery SDK that you can use """ args = parse_cli_params() # Disable logging for the thrift module (can be loud). logging.getLogger('thrift').addHandler(logging.NullHandler()) client = ExtensionClient(path=args.socket) if not client.open(args.timeout): return ext_manager = ExtensionManager() # try connecting to the desired osquery core extension manager socket try: status = client.extension_manager_client().registerExtension( info=InternalExtensionInfo( name=name, version=version, sdk_version=sdk_version, min_sdk_version=min_sdk_version, ), registry=ext_manager.registry(), ) except socket.error: message = "Could not connect to %s" % args.socket raise ExtensionException( code=1, message=message, ) if status.code is not 0: raise ExtensionException( code=1, message=status.message, ) # Start a watchdog thread to monitor the osquery process. rt = threading.Thread(target=start_watcher, args=(client, args.interval)) rt.daemon = True rt.start() # start a thrift server listening at the path dictated by the uuid returned # by the osquery core extension manager ext_manager.uuid = status.uuid processor = Processor(ext_manager) transport = transport = TSocket.TServerSocket( unix_socket=args.socket + "." + str(status.uuid)) tfactory = TTransport.TBufferedTransportFactory() pfactory = TBinaryProtocol.TBinaryProtocolFactory() server = TServer.TSimpleServer(processor, transport, tfactory, pfactory) server.serve()
def register_plugin(plugin): """Decorator wrapper used for registering a plugin class To register your plugin, add this decorator to your plugin's implementation class: @osquery.register_plugin class MyTablePlugin(osquery.TablePlugin): """ ext_manager = ExtensionManager() ext_manager.add_plugin(plugin)
def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.8.0", min_sdk_version="1.8.0"): """Start your extension by communicating with osquery core and starting a thrift server. Keyword arguments: name -- the name of your extension version -- the version of your extension sdk_version -- the version of the osquery SDK used to build this extension min_sdk_version -- the minimum version of the osquery SDK that you can use """ args = parse_cli_params() client = ExtensionClient(path=args.socket) client.open() ext_manager = ExtensionManager() # try connecting to the desired osquery core extension manager socket try: status = client.extension_manager_client().registerExtension( info=InternalExtensionInfo( name=name, version=version, sdk_version=sdk_version, min_sdk_version=min_sdk_version, ), registry=ext_manager.registry(), ) except socket.error: message = "Could not connect to %s" % args.socket raise ExtensionException( code=1, message=message, ) if status.code is not 0: raise ExtensionException( code=1, message=status.message, ) # start a thrift server listening at the path dictated by the uuid returned # by the osquery core extension manager ext_manager.uuid = status.uuid processor = Processor(ext_manager) transport = transport = TSocket.TServerSocket(unix_socket=args.socket + "." + str(status.uuid)) tfactory = TTransport.TBufferedTransportFactory() pfactory = TBinaryProtocol.TBinaryProtocolFactory() server = TServer.TSimpleServer(processor, transport, tfactory, pfactory) server.serve()
def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.4.4", min_sdk_version="1.4.4"): """Start your extension by communicating with osquery core and starting a thrift server. Keyword arguments: name -- the name of your extension version -- the version of your extension sdk_version -- the version of the osquery SDK used to build this extension min_sdk_version -- the minimum version of the osquery SDK that you can use """ args = parse_cli_params() client = ExtensionClient(path=args.socket) client.open() ext_manager = ExtensionManager() # try connecting to the desired osquery core extension manager socket try: status = client.extension_manager_client().registerExtension( info=InternalExtensionInfo( name=name, version=version, sdk_version=sdk_version, min_sdk_version=min_sdk_version, ), registry=ext_manager.registry(), ) except socket.error: message = "Could not connect to %s" % args.socket raise ExtensionException( code=1, message=message, ) if status.code is not 0: raise ExtensionException( code=1, message=status.message, ) # start a thrift server listening at the path dictated by the uuid returned # by the osquery core extension manager ext_manager.uuid = status.uuid processor = Processor(ext_manager) transport = transport = TSocket.TServerSocket( unix_socket=args.socket + "." + str(status.uuid)) tfactory = TTransport.TBufferedTransportFactory() pfactory = TBinaryProtocol.TBinaryProtocolFactory() server = TServer.TSimpleServer(processor, transport, tfactory, pfactory) server.serve()
def deregister_extension(): """Deregister the entire extension from the core extension manager""" args = parse_cli_params() client = ExtensionClient(path=args.socket) client.open() ext_manager = ExtensionManager() if ext_manager.uuid is None: raise ExtensionException( code=1, message="Extension Manager does not have a valid UUID", ) try: status = client.extension_manager_client().deregisterExtension( ext_manager.uuid) except socket.error: message = "Could not connect to %s" % args.socket raise ExtensionException( code=1, message=message, ) if status.code is not 0: raise ExtensionException(code=1, message=status.message,)
def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.8.0", min_sdk_version="1.8.0"): """Start your extension by communicating with osquery core and starting a thrift server. Keyword arguments: name -- the name of your extension version -- the version of your extension sdk_version -- the version of the osquery SDK used to build this extension min_sdk_version -- the minimum version of the osquery SDK that you can use """ args = parse_cli_params() # Disable logging for the thrift module (can be loud). logging.getLogger('thrift').addHandler(logging.NullHandler()) client = ExtensionClient(path=args.socket) if not client.open(args.timeout): if args.verbose: message = "Could not open socket %s" % args.socket raise ExtensionException( code=1, message=message, ) return ext_manager = ExtensionManager() # try connecting to the desired osquery core extension manager socket try: status = client.extension_manager_client().registerExtension( info=InternalExtensionInfo( name=name, version=version, sdk_version=sdk_version, min_sdk_version=min_sdk_version, ), registry=ext_manager.registry(), ) except socket.error: message = "Could not connect to %s" % args.socket raise ExtensionException( code=1, message=message, ) if status.code is not 0: raise ExtensionException( code=1, message=status.message, ) # Start a watchdog thread to monitor the osquery process. rt = threading.Thread(target=start_watcher, args=(client, args.interval)) rt.daemon = True rt.start() # start a thrift server listening at the path dictated by the uuid returned # by the osquery core extension manager ext_manager.uuid = status.uuid processor = Processor(ext_manager) transport = None if sys.platform == 'win32': transport = TPipeServer(pipe_name="{}.{}".format(args.socket, status.uuid)) else: transport = TSocket.TServerSocket( unix_socket=args.socket + "." + str(status.uuid)) tfactory = TTransport.TBufferedTransportFactory() pfactory = TBinaryProtocol.TBinaryProtocolFactory() server = TServer.TSimpleServer(processor, transport, tfactory, pfactory) server.serve()