def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
client = ExtensionClient(path=args.socket)
if not client.open(args.timeout):
return
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# Start a watchdog thread to monitor the osquery process.
rt = threading.Thread(target=start_watcher, args=(client, args.interval))
rt.daemon = True
rt.start()
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
def deregister_extension():
"""Deregister the entire extension from the core extension manager"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
if ext_manager.uuid is None:
raise ExtensionException(
code=1,
message="Extension Manager does not have a valid UUID",
)
try:
status = client.extension_manager_client().deregisterExtension(
ext_manager.uuid)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(code=1, message=status.message,)
def deregister_extension():
"""Deregister the entire extension from the core extension manager"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
if ext_manager.uuid is None:
raise ExtensionException(
code=1,
message="Extension Manager does not have a valid UUID",
)
try:
status = client.extension_manager_client().deregisterExtension(
ext_manager.uuid)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(code=1, message=status.message,)
def start_extension(name="<unknown>",
version="0.0.0",
sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(unix_socket=args.socket +
"." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.4.4",
min_sdk_version="1.4.4"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
class SpawnInstance(object):
"""Spawn a standalone osquery instance"""
"""The osquery process instance."""
instance = None
"""The extension client connection attached to the instance."""
connection = None
_socket = None
def __init__(self, path=None):
"""
Keyword arguments:
path -- the path to and osqueryd binary to spawn
"""
if path is None:
# Darwin is special and must have binaries installed in /usr/local.
if sys.platform == "darwin":
self.path = DARWIN_BINARY_PATH
else:
self.path = LINUX_BINARY_PATH
else:
self.path = path
self._socket = tempfile.mkstemp(prefix="pyosqsock")
self._pidfile = tempfile.mkstemp(prefix="pyosqpid")
with open(self._pidfile[1], "w") as fh:
fh.write("100000")
self._dbpath = tempfile.mkdtemp(prefix="pyoqsdb")
def __del__(self):
if self.connection is not None:
self.connection.close()
if self.instance is not None:
self.instance.kill()
shutil.rmtree(self._dbpath)
self.instance.wait()
def open(self, timeout=2, interval=0.01):
"""
Start the instance process and open an extension client
Keyword arguments:
timeout -- maximum number of seconds to wait for client
interval -- seconds between client open attempts
"""
proc = [
self.path,
"--extensions_socket",
self._socket[1],
"--database_path",
# This is a temporary directory, there is not FD tuple.
self._dbpath,
"--pidfile",
self._pidfile[1],
"--disable_watchdog",
"--disable_logging",
"--config_path",
"/dev/null",
]
self.instance = subprocess.Popen(proc,
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
self.connection = ExtensionClient(path=self._socket[1])
if not self.is_running():
raise Exception("Cannot start process from path: %s" % (self.path))
# Attempt to open the extension client.
delay = 0
while delay < timeout:
try:
self.connection.open()
return
except:
time.sleep(interval)
delay += interval
self.instance.kill()
self.instance = None
raise Exception("Cannot open socket: %s" % (self._socket[1]))
def is_running(self):
"""Check if the instance has spawned."""
if self.instance is None:
return False
return self.instance.poll() is None
@property
def client(self):
"""The extension client."""
return self.connection.extension_manager_client()
class SpawnInstance(object):
"""Spawn a standalone osquery instance"""
"""The osquery process instance."""
instance = None
"""The extension client connection attached to the instance."""
connection = None
_socket = None
def __init__(self, path=None):
"""
Keyword arguments:
path -- the path to and osqueryd binary to spawn
"""
if path is None:
# Darwin is special and must have binaries installed in /usr/local.
if sys.platform == "darwin":
self.path = DARWIN_BINARY_PATH
elif sys.platform == WINDOWS_PLATFORM:
self.path = WINDOWS_BINARY_PATH
else:
self.path = LINUX_BINARY_PATH
else:
self.path = path
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
if sys.platform == WINDOWS_PLATFORM:
# Windows fails to spawn if the pidfile already exists
self._pidfile = (None, tempfile.gettempdir() + '\\pyosqpid-' +
str(random.randint(10000, 20000)))
pipeName = r'\\.\pipe\pyosqsock-' + str(
random.randint(10000, 20000))
self._socket = (None, pipeName)
else:
self._socket = tempfile.mkstemp(prefix="pyosqsock")
def __del__(self):
if self.connection is not None:
self.connection.close()
self.connection = None
if self.instance is not None:
self.instance.kill()
self.instance.wait()
self.instance = None
# On macOS and Linux mkstemp opens a descriptor.
if self._socket is not None and self._socket[0] is not None:
os.close(self._socket[0])
self._socket = None
def open(self, timeout=2, interval=0.01):
"""
Start the instance process and open an extension client
Keyword arguments:
timeout -- maximum number of seconds to wait for client
interval -- seconds between client open attempts
"""
proc = [
self.path,
"--extensions_socket",
self._socket[1],
"--disable_database",
"--disable_watchdog",
"--disable_logging",
"--ephemeral",
"--config_path",
"/dev/null",
]
self.instance = subprocess.Popen(
proc,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
self.connection = ExtensionClient(path=self._socket[1])
if not self.is_running():
raise Exception("Cannot start process from path: %s" % (self.path))
# Attempt to open the extension client.
delay = 0
while delay < timeout:
try:
self.connection.open()
return
except Exception:
time.sleep(interval)
delay += interval
self.instance.kill()
self.instance = None
raise Exception("Cannot open connection: %s" % (self._socket[1]))
def is_running(self):
"""Check if the instance has spawned."""
if self.instance is None:
return False
return self.instance.poll() is None
@property
def client(self):
"""The extension client."""
return self.connection.extension_manager_client()
class SpawnInstance(object):
"""Spawn a standalone osquery instance"""
"""The osquery process instance."""
instance = None
"""The extension client connection attached to the instance."""
connection = None
_socket = None
def __init__(self, path=None):
"""
Keyword arguments:
path -- the path to and osqueryd binary to spawn
"""
if path is None:
# Darwin is special and must have binaries installed in /usr/local.
if sys.platform == "darwin":
self.path = DARWIN_BINARY_PATH
elif sys.platform == WINDOWS_PLATFORM:
self.path = WINDOWS_BINARY_PATH
else:
self.path = LINUX_BINARY_PATH
else:
self.path = path
self._socket = tempfile.mkstemp(prefix="pyosqsock")
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
if sys.platform == WINDOWS_PLATFORM:
# Windows fails to spawn if the pidfile already exists
self._pidfile = (None, tempfile.gettempdir() + '\\pyosqpid-' +
str(random.randint(10000, 20000)))
pipeName = r'\\.\pipe\pyosqsock-' + str(
random.randint(10000, 20000))
self._socket = (None, pipeName)
else:
self._socket = tempfile.mkstemp(prefix="pyosqsock")
def __del__(self):
if self.connection is not None:
self.connection.close()
if self.instance is not None:
self.instance.kill()
self.instance.wait()
def open(self, timeout=2, interval=0.01):
"""
Start the instance process and open an extension client
Keyword arguments:
timeout -- maximum number of seconds to wait for client
interval -- seconds between client open attempts
"""
proc = [
self.path,
"--extensions_socket",
self._socket[1],
"--disable_database",
"--disable_watchdog",
"--disable_logging",
"--ephemeral",
"--config_path",
"/dev/null",
]
self.instance = subprocess.Popen(
proc,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
self.connection = ExtensionClient(path=self._socket[1])
if not self.is_running():
raise Exception("Cannot start process from path: %s" % (self.path))
# Attempt to open the extension client.
delay = 0
while delay < timeout:
try:
self.connection.open()
return
except Exception:
time.sleep(interval)
delay += interval
self.instance.kill()
self.instance = None
raise Exception("Cannot open connection: %s" % (self._socket[1]))
def is_running(self):
"""Check if the instance has spawned."""
if self.instance is None:
return False
return self.instance.poll() is None
@property
def client(self):
"""The extension client."""
return self.connection.extension_manager_client()
def start_extension(name="<unknown>",
version="0.0.0",
sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
client = ExtensionClient(path=args.socket)
if not client.open(args.timeout):
if args.verbose:
message = "Could not open socket %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
return
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# Start a watchdog thread to monitor the osquery process.
rt = threading.Thread(target=start_watcher, args=(client, args.interval))
rt.daemon = True
rt.start()
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = None
if sys.platform == 'win32':
transport = TPipeServer(pipe_name="{}.{}".format(args.socket, status.uuid))
else:
transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
class SpawnInstance(object):
"""Spawn a standalone osquery instance"""
"""The osquery process instance."""
instance = None
"""The extension client connection attached to the instance."""
connection = None
_socket = None
def __init__(self, path=None):
"""
Keyword arguments:
path -- the path to and osqueryd binary to spawn
"""
if path is None:
# Darwin is special and must have binaries installed in /usr/local.
if sys.platform == "darwin":
self.path = DARWIN_BINARY_PATH
else:
self.path = LINUX_BINARY_PATH
else:
self.path = path
self._socket = tempfile.mkstemp(prefix="pyosqsock")
self._pidfile = tempfile.mkstemp(prefix="pyosqpid")
with open(self._pidfile[1], "w") as fh:
fh.write("100000")
self._dbpath = tempfile.mkdtemp(prefix="pyoqsdb")
def __del__(self):
if self.connection is not None:
self.connection.close()
if self.instance is not None:
self.instance.kill()
shutil.rmtree(self._dbpath)
self.instance.wait()
def open(self, timeout=2, interval=0.01):
"""
Start the instance process and open an extension client
Keyword arguments:
timeout -- maximum number of seconds to wait for client
interval -- seconds between client open attempts
"""
proc = [
self.path,
"--extensions_socket",
self._socket[1],
"--database_path",
# This is a temporary directory, there is not FD tuple.
self._dbpath,
"--pidfile",
self._pidfile[1],
"--disable_watchdog",
"--disable_logging",
"--config_path",
"/dev/null",
]
self.instance = subprocess.Popen(proc,
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
self.connection = ExtensionClient(path=self._socket[1])
if not self.is_running():
raise Exception("Cannot start process from path: %s" % (self.path))
# Attempt to open the extension client.
delay = 0
while delay < timeout:
try:
self.connection.open()
return
except:
time.sleep(interval)
delay += interval
self.instance.kill()
self.instance = None
raise Exception("Cannot open socket: %s" % (self._socket[1]))
def is_running(self):
"""Check if the instance has spawned."""
if self.instance is None:
return False
return self.instance.poll() is None
@property
def client(self):
"""The extension client."""
return self.connection.extension_manager_client()