Comments (4)
getvictor
commented on July 19, 2024
If the extension fails to load, it should sleep instead of trying again. sleep can be added here:
osquery/osquery/extensions/impl_thrift.cpp
Line 268 in 612656b
from osquery.
Smjert
commented on July 19, 2024
I wouldn't put the sleep so deep; that's more a generic interface toward thrift.
That being said, there are two pieces at play here, the watcher/watchdog which attempts to start the extensions passed via --extensions_autoload, and the worker that waits some time the extensions to be registered, if extensions_require is given.
The watcher starts the extensions and if they die, they get restarted immediately, or at least it attempts to, but limits itself and warns about the fact that the extension is being restarted too quickly.
The logic is here:
osquery/osquery/core/watcher.cpp
Line 390 in 612656b
Then you have the worker which waits for the extensions to be registered before proceeding with its own initialization internally, because if the extensions are providing some fundamental feature (like a config or logging plugin), then that will cause failures for sure in the worker.
This is handled here:
Line 655 in 612656b
But worker and watcher do not communicate in this.
Furthermore, I'm not sure that extensions_require was ever intended to have the osquery worker exit if it cannot register the extensions in time (or if the extensions themselves are not started in time).
You have have to consider that extension may be loaded manually and not be controlled by osquery.
If an extension is providing a fundamental feature, like a config or logger plugin which is enabled via flags, osquery will fail anyway to enable them, and will exit.
If the extensions provide tables, then simply osquery won't be able to query those and the rest of the functionality will work, which might be desirable, instead of not having access to osquery at all.
Some do still put extensions_require with extensions providing tables because they don't want to see a query returning with an error (once), due to the table not being found, if the extension doesn't really have an issue.
I would also consider this desire here: #8067
EDIT: Oh and the definition of "bad extension" I think needs to be clarified. When the watcher is launching a managed extension, it restarts it if it exits, but doesn't know why it exited.
It just treats it as the worker; it's an important process that the user asked to keep alive.
from osquery.
getvictor
commented on July 19, 2024
Yes, I agree that --extensions_require doesn't seem useful for table extensions. I wouldn't want to specify it every time for every extension.
I opened a PR to change warnings to errors when extension could not be added: #8260
from osquery.
directionless
commented on July 19, 2024
Yes, I agree that
--extensions_requiredoesn't seem useful for table extensions. I wouldn't want to specify it every time for every extension.
If the tables are used for decorators, one might want this on table extensions
from osquery.
Related Issues (20)
- Library yara has vulnerability CVE-2021-45429 HOT 1
- Proposal: Remove `manufacture_date` from `battery` table
- Library expat has vulnerability CVE-2023-52425 HOT 1
- Library expat has vulnerability CVE-2023-52426 HOT 1
- Does windows_crashes only fetch data from the minidump folder and we can't extract any data unless we manually create a dump file
- Library libxml2 has vulnerability CVE-2024-25062 HOT 1
- Proxy doesn't work
- Use eBPF for the process_file_events publisher instead of auditd
- It'd be helpful to include updated login items path in startup items table for macOS HOT 1
- Permission error logs when creating INFO logs on CentOS hosts HOT 2
- 'logged_in_users' Table not Showing Disconnected Sessions
- Update to SQLite 3.45.0 introduces an issue where a required column is not passed into a table due to optimizations for the IN keyword HOT 9
- Shutdown Crash After Failure to Launch Extension
- Incorrect reporting for unix domain sockets on macOS
- Loss of data for EventData in Windows Event Logs
- JSON output to support null data types
- Hash module unavailable in osquery on macOS HOT 3
- SQL real precision incorrect
- New value for 'socket' config does not create file, default value keep being used HOT 3
- Support for the `blake3` hash algorithm
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osquery.