• a

    Abhijit

    1 year ago
    hi, Wanted to use osquery in C++ to get the basic details like os version, firewall status, etc. Was trying to experiment with Thrift IPC but not sure. what's the way forward. any sample for the same will help.
  • Mike Myers

    Mike Myers

    1 year ago
    Yes. To use it, you run it as a daemon and write an extension — or, you can run it interactively as a subprocess. If you're writing an extension it doesn't need to be C++ necessarily, other languages are supported.
  • We've written some extensions here https://github.com/trailofbits/osquery-extensions There is also the #extensions channel in this Slack, and the sample extension in the core repo
  • You probably saw this part of the documentation https://osquery.readthedocs.io/en/latest/development/osquery-sdk/
  • a

    Abhijit

    1 year ago
    thank you mike. I was confused with the Extension docs. I thought Extension is written to extend the functionality of osquery which is not my requirement. i just wanted to use existing. I don't want to use osqueryi. and C++ is a requirement. So just to confirm, are Extensions, the way to use osquery SDK?
  • Mike Myers

    Mike Myers

    1 year ago
    Yea, osquery doesn't build to be included or compiled as a library callable within your process
  • a

    Abhijit

    1 year ago
    oh...that's clear now. Thank you Mike very much. The trailofbits sample you pointed are amazing. It seems they are extending osquery's functionality. Any simple C++ extension which just queries the existing tables of osquery like OS version will help. I don't want to extend anything. Any pointers to such samples?
  • Mike Myers

    Mike Myers

    1 year ago
    Ah, well the extension doesn't have to register any new tables I guess, but I'm not sure how to just ask osquery for things over Thrift. I haven't seen an example of what you're asking, but maybe in #extensions someone could help
  • a

    Abhijit

    1 year ago
    thank you Mike.
  • s

    seph

    1 year ago
    The go SDK supports that and launcher uses it for a couple things
  • a

    Abhijit

    1 year ago
    Okay. Thank you!
  • s

    seph

    1 year ago
    By implication… Anything using thrift supports that. Though it may or may not be easily exposed or documented