Documentation
¶
Overview ¶
Package distributed creates an osquery distributed query plugin.
Index ¶
- type GetQueriesFunc
- type GetQueriesResult
- type OsqueryInt
- type Plugin
- func (t *Plugin) Call(ctx context.Context, request osquery.ExtensionPluginRequest) osquery.ExtensionResponse
- func (t *Plugin) Name() string
- func (t *Plugin) Ping() osquery.ExtensionStatus
- func (t *Plugin) RegistryName() string
- func (t *Plugin) Routes() osquery.ExtensionPluginResponse
- func (t *Plugin) Shutdown()
- type Result
- type ResultsStruct
- type WriteResultsFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GetQueriesFunc ¶
type GetQueriesFunc func(ctx context.Context) (*GetQueriesResult, error)
GetQueriesFunc returns the queries that should be executed. The returned map should include the query name as the keys, and the query text as values. Results will be returned corresponding to the provided name. The context argument can optionally be used for cancellation in long-running operations.
type GetQueriesResult ¶
type GetQueriesResult struct {
// Queries is a map from query name to query SQL
Queries map[string]string `json:"queries"`
// Discovery is used for "discovery" queries in the distributed
// system. When used, discovery queries should be specified with query
// name as the key and the discover query SQL as the value. If this is
// nonempty, only queries for which the associated discovery query
// returns results will be run in osquery.
Discovery map[string]string `json:"discovery,omitempty"`
// AccelerateSeconds can be specified to have "accelerated" checkins
// for a given number of seconds after this checkin. Currently this
// means that checkins will occur every 5 seconds.
AccelerateSeconds int `json:"accelerate,omitempty"`
}
GetQueriesResult contains the information about which queries the distributed system should run.
type OsqueryInt ¶
type OsqueryInt int
OsqueryInt handles unmarshaling integers in noncanonical osquery json.
func (*OsqueryInt) UnmarshalJSON ¶
func (oi *OsqueryInt) UnmarshalJSON(buff []byte) error
UnmarshalJSON marshals a json string that is convertable to an int, for example "234" -> 234.
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin is an osquery configuration plugin. Plugin implements the OsqueryPlugin interface.
func NewPlugin ¶
func NewPlugin(name string, getQueries GetQueriesFunc, writeResults WriteResultsFunc) *Plugin
NewPlugin takes the distributed query functions and returns a struct implementing the OsqueryPlugin interface. Use this to wrap the appropriate functions into an osquery plugin.
func (*Plugin) Call ¶
func (t *Plugin) Call(ctx context.Context, request osquery.ExtensionPluginRequest) osquery.ExtensionResponse
func (*Plugin) Ping ¶
func (t *Plugin) Ping() osquery.ExtensionStatus
func (*Plugin) RegistryName ¶
func (*Plugin) Routes ¶
func (t *Plugin) Routes() osquery.ExtensionPluginResponse
type Result ¶
type Result struct {
// QueryName is the name that was originally provided for the query.
QueryName string `json:"query_name"`
// Status is an integer status code for the query execution (0 = OK)
Status int `json:"status"`
// Rows is the result rows of the query.
Rows []map[string]string `json:"rows"`
}
Result contains the status and results for a distributed query.
type ResultsStruct ¶
type ResultsStruct struct {
Queries map[string][]map[string]string `json:"queries"`
Statuses map[string]OsqueryInt `json:"statuses"`
}
ResultsStruct is used for unmarshalling the results passed from osquery.
func (*ResultsStruct) UnmarshalJSON ¶
func (rs *ResultsStruct) UnmarshalJSON(buff []byte) error
UnmarshalJSON turns structurally inconsistent osquery json into a ResultsStruct.
Source Files