https://github.com/osquery/osquery logo
Powered by
#extensions
Title
# extensions
g

groob

10/09/2020, 12:19 PM
@alessandrogario Do you know how well writable tables are supported outside of the C++ SDK? My impression was that it wasn't possible,but I haven't been very active in the last year.
a

alessandrogario

10/09/2020, 12:21 PM
It is implemented through the registry, I was expecting it to be compatible; do you happen to know what could be wrong with it?
g

groob

10/09/2020, 12:27 PM
Compatible via thrift?
It could be that we just need to update osquery-go
a

alessandrogario

10/09/2020, 12:27 PM
yeah there are a couple of new actions implemented
g

groob

10/09/2020, 12:28 PM
Oh nice
a

alessandrogario

10/09/2020, 12:28 PM
but if it doesn't work we should fix it
i haven't tried with the py sdk either
it only supports update and delete, alter table is not implemented
g

groob

10/09/2020, 12:36 PM
“it” meaning python sdk?
a

alessandrogario

10/09/2020, 12:37 PM
sorry i meant the protocol
if you need alter table we can implement it
g

groob

10/09/2020, 12:38 PM
INSERT would work though, or are they related?
a

alessandrogario

10/09/2020, 12:40 PM
yes insert delete and update should work
i think insert was similar to update
it's been a while since i looked at that code
g

grahamgilbert

10/09/2020, 1:18 PM
Insert, delete and update work until you pass in some constraints (obviously not a problem on insert)
As soon as constraints get added in, the action the extension receives is generate rather than the correct action
g

groob

10/09/2020, 4:28 PM
that looks pretty comprehensive
what’s an example query you’re using?
g

grahamgilbert

10/09/2020, 4:54 PM
Just basic inserts and deletes right now. As soon as WHERE gets into the mix we are back to generate
g

groob

10/09/2020, 5:05 PM
can you log what the full plugin request is when you have the WHERE?
spew.Dump(request) would be useful to see 😃
g

grahamgilbert

10/09/2020, 5:32 PM
Okay, can later this afternoon. Pumpkin patch right now
Copy code
osquery> DELETE from example_table;
(osquery.ExtensionPluginRequest) (len=2) {
 (string) (len=6) "action": (string) (len=8) "generate",
 (string) (len=7) "context": (string) (len=241) "{\"constraints\":[{\"name\":\"big_int\",\"list\":[],\"affinity\":\"BIGINT\"},{\"name\":\"double\",\"list\":[],\"affinity\":\"DOUBLE\"},{\"name\":\"integer\",\"list\":[],\"affinity\":\"INTEGER\"},{\"name\":\"text\",\"list\":[],\"affinity\":\"TEXT\"}],\"colsUsed\":[],\"colsUsedBitset\":0}"
}
(osquery.ExtensionPluginRequest) (len=3) {
 (string) (len=6) "action": (string) (len=6) "delete",
 (string) (len=7) "context": (string) (len=18) "{\"constraints\":[]}",
 (string) (len=2) "id": (string) (len=1) "0"
}
DLETEEEE
{map[]}
DELETING
osquery> DELETE from example_table where text="wee";
(osquery.ExtensionPluginRequest) (len=2) {
 (string) (len=6) "action": (string) (len=8) "generate",
 (string) (len=7) "context": (string) (len=268) "{\"constraints\":[{\"name\":\"big_int\",\"list\":[],\"affinity\":\"BIGINT\"},{\"name\":\"double\",\"list\":[],\"affinity\":\"DOUBLE\"},{\"name\":\"integer\",\"list\":[],\"affinity\":\"INTEGER\"},{\"name\":\"text\",\"list\":[{\"op\":2,\"expr\":\"wee\"}],\"affinity\":\"TEXT\"}],\"colsUsed\":[\"text\"],\"colsUsedBitset\":1}"
}
osquery>
@groob ^^
g

groob

10/09/2020, 10:42 PM
@zwass thoughts if this is an osquery bug?
a

alessandrogario

10/09/2020, 10:48 PM
it does look like a bug
I know it used to work
z

zwass

10/09/2020, 11:03 PM
I've never looked through the writeable tables implementation so I'd lean towards Alessandro's interpretation.
Is there a chance that the query planner essentially does a 
SELECT
as part of the 
DELETE
process?
g

grahamgilbert

10/10/2020, 1:10 AM
Is there anything else I can provide to help here?
a

alessandrogario

10/13/2020, 5:54 PM
👍 1
I am looking at the writable tables, using the sample extension
Could you help me out reproduce it with the right queries?
g

grahamgilbert

11/05/2020, 8:02 PM
Will do next week. PTO until Tuesday
👍 1
9 Views
Powered by