Load custom osquery extension with wazuh's wodle
78 views
Skip to first unread message
Gilad Reich
Feb 1, 2023, 3:46:31 AM2/1/23
to Wazuh mailing list
I developed a custom Osquery extension that I would like Wazuh to know about and load it when it starts the Osquery process.
Following Wazuh docs regarding possible options one can configure for the Wodle, I don't see of a possible option passing additional arguments to Osquery: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-osquery.html
Also in code, I understand we only pass it the configurations file using the `--config_path=` flag: https://github.com/wazuh/wazuh/blob/v4.3.10/src/wazuh_modules/wm_osquery_monitor.c#L280-L306
After finding this limitation, I was trying to approach this in another way and making my extension to load via the `osquery.conf` file in `options` section (considering Wazuh already making Osquery load it): https://osquery.readthedocs.io/en/stable/deployment/configuration/#options
However, running `osqueryd --help` I see that all of the `extensions_*` options are CLI options that don't work when settings in the `osquery.conf` file. This is because there are two sections for possible flags:
- `osquery command line flags`
- `osquery configuration options (set by config or CLI flags)`
And it appears to be that there are no configuration options to specify a custom extension path to be loaded.
Considering Wazuh is running Osquery as a managed child-process, could anyone suggest a possible alternative of loading Osquery extension please?
Maybe as a possible feature, I think it may be useful to add configuration to the Osquery Wodle in Wazuh to pass additional arguments to the Osquery process? That will also make it much more simpler from a design point of view instead of hardcoding each additional argument, as was done for `config_path`. That way administrators can just pass additional arguments to Osquery, even new ones that may be added to future Osquery versions.
Following Wazuh docs regarding possible options one can configure for the Wodle, I don't see of a possible option passing additional arguments to Osquery: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-osquery.html
Also in code, I understand we only pass it the configurations file using the `--config_path=` flag: https://github.com/wazuh/wazuh/blob/v4.3.10/src/wazuh_modules/wm_osquery_monitor.c#L280-L306
After finding this limitation, I was trying to approach this in another way and making my extension to load via the `osquery.conf` file in `options` section (considering Wazuh already making Osquery load it): https://osquery.readthedocs.io/en/stable/deployment/configuration/#options
However, running `osqueryd --help` I see that all of the `extensions_*` options are CLI options that don't work when settings in the `osquery.conf` file. This is because there are two sections for possible flags:
- `osquery command line flags`
- `osquery configuration options (set by config or CLI flags)`
And it appears to be that there are no configuration options to specify a custom extension path to be loaded.
Considering Wazuh is running Osquery as a managed child-process, could anyone suggest a possible alternative of loading Osquery extension please?
Maybe as a possible feature, I think it may be useful to add configuration to the Osquery Wodle in Wazuh to pass additional arguments to the Osquery process? That will also make it much more simpler from a design point of view instead of hardcoding each additional argument, as was done for `config_path`. That way administrators can just pass additional arguments to Osquery, even new ones that may be added to future Osquery versions.
Reply all
Reply to author
Forward
0 new messages