Skip to content

When schedule Osquery packs in runtime config not getting callback #121

New issue
New issue
Open
Open
When schedule Osquery packs in runtime config not getting callback#121
@User2798

Description

@User2798
User2798
opened on Dec 16, 2023

Issue - I created an osquery extension which includes a logger and a config plugin using osquery-go. Within this extension, I established a runtime config. When a scheduled query is triggered, it works fine. However, when Packs are utilized, it does not provide the expected callback.

Operating System - Windows 10
go version - go1.21.3

Code snippet

Flages :-

--disable_extensions=false 
 --disable_events=false
 --events_expiry=1 
 --events_optimize=true 
 --events_max=500000 
 --logger_plugin=testlogger 
--config_plugin=testconfig
 --extensions_timeout=600 
 --extensions_interval=5 
 --extensions_require=testextmgr
 --database_path="C:\Program Files\Test\testosqueryd.db" 
 --extensions_socket="\\.\pipe\testosquery.em"

Below is my runtime config :-

const configSchedule_processes string = `
{
   "schedule": {
   "processes": {
			  "query": "SELECT * FROM processes;",
			  "interval": 10
		}
   },
    "packs": {
        "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
    }  
}
`

Below are my logger and config function.

func LogString(ctx context.Context, typ logger.LogType, logText string) error {
        fmt.Println(logText)
        gCnt = gCnt + 1
        return nil
    }
    
    func ConfigCallback(ctx context.Context) (map[string]string, error) {
        return map[string]string{
            "config": configSchedule_processes,
        }, nil
    }

Output -
Only getting callback for processes. Not getting any callback for packs. For now trying with only one config. But in real scenario we can use multiple files

What does windows-attacks.conf contain?
Answer - This is general pack found on https://github.com/osquery/osquery/tree/master/packs

Few other observation -
I am no expert in this. Learning Osquery.
But,
https://osquery.readthedocs.io/en/stable/development/config-plugins/

in this doc it say's osquery packs needs to be achieve by implementing virtual method in cpp. (Follow Additional overloads from above link)

In osquery-go it seems that only genConfig is handled genPack is not handled.

Can some one PLEASE help here?
Thanks in advance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions