UNPKG

osquery-extension-manager

Version:

Osquery extension manager

github.com/spasam/osquery-extension-manager/blob/master/README.md

spasam/osquery-extension-manager

64 lines (47 loc) 2.19 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Simple JavaScript extension manager for [Osquery](https://github.com/osquery/osquery) Custom tables can be implemented in JavaScript and added to Osquery using extension manager. Custom tables must extend `TablePlugin` class. Example: ```javascript const { TablePlugin } = require('osquery-extension-manager'); class SampleTablePlugin extends TablePlugin { constructor() { super('sample', {foo: 'TEXT', bar: 'INTEGER'}); } generate() { // Integers should also be returned as string return [ {foo: 'Hello', bar: '1'}, {foo: 'World', bar: '2'} ]; } } ``` `TablePlugin` constructor should be called with the unique table name and the column metadata map. Custom table should implement `generate` method which should return the table rows as array of map's. Any number of custom plugins can be implemented and added to extension manager using `addPlugins` method. `start` method can be used to start the extension manager: ```javascript const { addPlugins, start } = require('osquery-extension-manager'); addPlugins(new SampleTablePlugin()); start(); ``` If `socketPath` argument is not provided to `start` method, extension manager tries to communicate with `osqueryd` daemon UNIX domain socket at `/var/run/osquery.em`. If that does not exist, it falls back to using `.osquery/shell.em` in current users *HOME* directory. Osquery daemon or Osquery shell should should be started with `--nodisable_extensions` flag to enable extension support. ```bash $ osqueryi --nodisable_extensions osquery> ``` ```bash $ node examples/sample-table.js ``` ```bash osquery> select * from sample; +-------+-----+ | foo | bar | +-------+-----+ | Hello | 1 | | World | 2 | +-------+-----+ ``` In addition to custom tables, extension manager can also be used to communicate with Osquery. Once started, it can list extensions (`listExtensions`), get flags (`getFlags`), query tables (`query`) or get column metadata for a query (`getQueryColumns`). ## Examples * [Simple table](examples/sample-table.js) that always returns two rows * [AWS EC2 tables](examples/aws-ec2-tables.js) that exposes EC2 instances, subnets, volumes, VPCs as Osquery tables