Initial osquery experiment. Not done yet

plugins/default/sensors/osquery/README.md

@@ -0,0 +1,3 @@
+# OSQuery
+
+Standalone OSQuery experiment.

plugins/default/sensors/osquery/bastion.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+
+""" The remote bastion for the sensor. Used to control the osquery on the target. Opens a web command shell.
+This is not meant to be secure and MUST NOT be used in a productive environment. As we use this in a hacking lab this
+is reasonable.
+
+Test with curl:
+
+curl -X POST -F 'command=test' localhost:6666/osquery
+
+(select timestamp from time)
+"""
+
+from flask import Flask, jsonify, request
+import osquery
+
+
+# TODO: Create a proper tool out of it
+# TODO: Start osqueryi with proper parameters
+# TODO: On the controller side: Find a collection of queries to get the system state
+
+# TODO: Interesting tables: appcompat_shims, authenticode, autoexec, certificates, etc_hosts, logged_in_users
+
+app = Flask(__name__)
+osquery_instance = osquery.ExtensionClient('/home/vagrant/test.sock')
+osquery_instance.open()
+
+
+@app.route("/osquery", methods=['POST'])
+def api():
+    data = {}
+    if request.method == 'POST':
+        command = request.form["command"]
+        data = {"command": command}
+        client = osquery_instance.extension_client()
+        data["result"] = client.query(command).response
+    return jsonify(data)
+
+
+if __name__ == "__main__":
+    # Important: This is to be run on target hosts only. Those are hacked anyway.
+    # Very bad security practice to use it in real world.
+    app.run(host='0.0.0.0', port=6666)  # nosec

plugins/default/sensors/osquery/osquery_plugin.py

@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+
+# A plugin to experiment with Linux osquery
+
+# https://github.com/osquery/osquery-python
+
+from plugins.base.sensor import SensorPlugin
+# import os
+# from jinja2 import Environment, FileSystemLoader, select_autoescape
+
+
+class LinuxOSQueryPlugin(SensorPlugin):
+    # Boilerplate
+    name = "osquery"
+    description = "Linux osquery plugin"  # Can later be extended to support other OS-es as well
+
+    required_files = []
+
+    def __init__(self):
+        super().__init__()
+        self.plugin_path = __file__
+
+        self.debugit = False
+
+    def process_templates(self):
+        """ process jinja2 templates of the config files and insert own config """
+
+        pass
+
+    def prime(self):
+        """ Hard-core install. Requires a reboot """
+
+        # pg = self.get_playground()
+
+        self.vprint("Installing Linux OSQuery", 3)
+
+        self.run_cmd('echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list')
+        self.run_cmd("sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B")
+        self.run_cmd("sudo apt update")
+        self.run_cmd("sudo apt -y install osquery")
+        self.run_cmd("")
+        # sudo apt -y install python3-pip
+        # pip install osquery
+
+        return False
+
+    def install(self):
+        """ Installs the filebeat sensor """
+
+        return
+
+    def start(self):
+        self.run_cmd("osqueryi --ephemeral --disable_logging --disable_database --extensions_socket /home/vagrant/test.sock")  # TODO: Find better socket name
+
+        """
+        ec = osquery.ExtensionClient("/home/vagrant/test.sock")
+        ec.open()
+        c = ec.extension_client()
+        c.query("select timestamp from time")
+        """
+
+        return None
+
+    def stop(self):
+        """ Stop the sensor """
+        return
+
+    def collect(self, path):
+        """ Collect sensor data """
+
+        dst = ""
+        return [dst]