def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
client = ExtensionClient(path=args.socket)
if not client.open(args.timeout):
return
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# Start a watchdog thread to monitor the osquery process.
rt = threading.Thread(target=start_watcher, args=(client, args.interval))
rt.daemon = True
rt.start()
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
def register_plugin(plugin):
"""Decorator wrapper used for registering a plugin class
To register your plugin, add this decorator to your plugin's implementation
class:
@osquery.register_plugin
class MyTablePlugin(osquery.TablePlugin):
"""
ext_manager = ExtensionManager()
ext_manager.add_plugin(plugin)
def register_plugin(plugin):
"""Decorator wrapper used for registering a plugin class
To register your plugin, add this decorator to your plugin's implementation
class:
@osquery.register_plugin
class MyTablePlugin(osquery.TablePlugin):
"""
ext_manager = ExtensionManager()
ext_manager.add_plugin(plugin)
def start_extension(name="<unknown>",
version="0.0.0",
sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(unix_socket=args.socket +
"." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
def start_extension(name="<unknown>", version="0.0.0", sdk_version="1.4.4",
min_sdk_version="1.4.4"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
def deregister_extension():
"""Deregister the entire extension from the core extension manager"""
args = parse_cli_params()
client = ExtensionClient(path=args.socket)
client.open()
ext_manager = ExtensionManager()
if ext_manager.uuid is None:
raise ExtensionException(
code=1,
message="Extension Manager does not have a valid UUID",
)
try:
status = client.extension_manager_client().deregisterExtension(
ext_manager.uuid)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(code=1, message=status.message,)
def start_extension(name="<unknown>",
version="0.0.0",
sdk_version="1.8.0",
min_sdk_version="1.8.0"):
"""Start your extension by communicating with osquery core and starting
a thrift server.
Keyword arguments:
name -- the name of your extension
version -- the version of your extension
sdk_version -- the version of the osquery SDK used to build this extension
min_sdk_version -- the minimum version of the osquery SDK that you can use
"""
args = parse_cli_params()
# Disable logging for the thrift module (can be loud).
logging.getLogger('thrift').addHandler(logging.NullHandler())
client = ExtensionClient(path=args.socket)
if not client.open(args.timeout):
if args.verbose:
message = "Could not open socket %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
return
ext_manager = ExtensionManager()
# try connecting to the desired osquery core extension manager socket
try:
status = client.extension_manager_client().registerExtension(
info=InternalExtensionInfo(
name=name,
version=version,
sdk_version=sdk_version,
min_sdk_version=min_sdk_version,
),
registry=ext_manager.registry(),
)
except socket.error:
message = "Could not connect to %s" % args.socket
raise ExtensionException(
code=1,
message=message,
)
if status.code is not 0:
raise ExtensionException(
code=1,
message=status.message,
)
# Start a watchdog thread to monitor the osquery process.
rt = threading.Thread(target=start_watcher, args=(client, args.interval))
rt.daemon = True
rt.start()
# start a thrift server listening at the path dictated by the uuid returned
# by the osquery core extension manager
ext_manager.uuid = status.uuid
processor = Processor(ext_manager)
transport = None
if sys.platform == 'win32':
transport = TPipeServer(pipe_name="{}.{}".format(args.socket, status.uuid))
else:
transport = TSocket.TServerSocket(
unix_socket=args.socket + "." + str(status.uuid))
tfactory = TTransport.TBufferedTransportFactory()
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
server = TServer.TSimpleServer(processor, transport, tfactory, pfactory)
server.serve()
