4/7/2023 0 Comments Osquery extensions![]() ![]() However, we have included additional query packs Our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which isĮxactly what we have done with our unwanted-chrome-extensions query pack and additions to the windows-attacks pack. The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. This repository is the companion to the osquery Across the Enterprise blog post. Do you need osquery development? Contact us.Palantir osquery Configuration About This Repository We’ll keep it maintained and add to it over time.ĭo you have an idea for an osquery extension? Please file an issue on our Github repo for it. If you’re reading this post some time in the future, you have even more reason to visit our osquery extension repository. If you have a Mac fleet, you can now monitor it with osquery and the EFIgy extension, and ensure all your endpoints have received the required software and firmware updates. osqueryi -extension /path/to/extension Take action To quickly test the extension, you can either start it from the osqueryi shell, or launch it manually and wait for it to connect to the running osquery instance. The official documentation explains the process very well. They will automatically connect via Thrift and expose the new functions. Since they are normal executables, you can also start them after osquery. You can test them (both with the shell and the daemon) by specifying their path with the –extension parameter. Ln -s efigy /src/osquery/external/extension_efigyĮxtensions are easy to use. You can then follow the usual build process for your platform, as the default ALL target will also build all extensions. You only have to create a symbolic link of the source folders you want to compile inside the osquery/external folder, taking care to name the link according to the following scheme: extension_. ![]() However, you will have to clone the full source code of osquery first since the SDK is not part of the distributable package. The EFIgy extension is the first item available. Without anywhere to submit our new feature, we created a new repository for our extensions. Keeping all external libraries statically linked is also a good idea, as it will make redistribution easier. There is no list of recommended steps to take when developing an extension, but if you plan on writing more than one I recommend you bundle your utility functions in headers that can then be easily imported and reused. You will have access to some of the libraries in osquery such as Boost, but not some other utilities (e.g. The JSON request doesn’t require many keys it boils down to hardware model and software versions: source1.cpp source2.cpp) Programmatically querying EFIgyĮFIgy expects a JSON object containing the details for the system we wish to query. Duo Labs followed this finding by creating the EFIgy service, a REST endpoint that can access the latest OS and EFI versions for any known Apple product through the use of details such as logic board id and product name. The researchers found that many of these computers were running on outdated firmware, even though the required EFI updates were supposed to be bundled in the same operating system patches that the hosts had installed correctly. Duo Labs gathered and analyzed all the publicly released Apple updates from the last three years and verified the information by looking at more than 73,000 Macs across different organizations. They operate on a privilege level that is out of reach even from operating systems and hypervisors. These software components are really interesting for attackers. About EFIgyĪt this year’s Ekoparty, Duo Labs presented the results of its research on the state of support and security in EFI firmwares. The rest of this post describes how we implemented the EFIgy extension for osquery. This post aims to help future developers in navigating through the process of writing an extension for osquery. Very little documentation exists on the topic. There are very few examples of publicly released osquery extensions. Our first extension takes advantage of the Duo Labs EFIgy API to determine if the EFI firmware on your Mac fleet is up to date. ![]() Today, we are releasing access to our maintained repository of osquery extensions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |