Version: v0.0.0-...-b019be7 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jun 4, 2020 License: MIT Imports: 5 Imported by: 0



Package table creates an osquery table plugin.



View Source
const (
	ColumnTypeText    ColumnType = "TEXT"
	ColumnTypeInteger            = "INTEGER"
	ColumnTypeBigInt             = "BIGINT"
	ColumnTypeDouble             = "DOUBLE"

The following column types are defined in osquery tables.h.

View Source
const (
	OperatorEquals              Operator = 2
	OperatorGreaterThan                  = 4
	OperatorLessThanOrEquals             = 8
	OperatorLessThan                     = 16
	OperatorGreaterThanOrEquals          = 32
	OperatorMatch                        = 64
	OperatorLike                         = 65
	OperatorGlob                         = 66
	OperatorRegexp                       = 67
	OperatorUnique                       = 1

The following operators are dfined in osquery tables.h.


This section is empty.


This section is empty.


type ColumnDefinition

type ColumnDefinition struct {
	Name string
	Type ColumnType

ColumnDefinition defines the relevant information for a column in a table plugin. Both values are mandatory. Prefer using the *Column helpers to create ColumnDefinition structs.

func BigIntColumn

func BigIntColumn(name string) ColumnDefinition

BigIntColumn is a helper for defining columns containing big integers.

func DoubleColumn

func DoubleColumn(name string) ColumnDefinition

DoubleColumn is a helper for defining columns containing floating point values.

func IntegerColumn

func IntegerColumn(name string) ColumnDefinition

IntegerColumn is a helper for defining columns containing integers.

func TextColumn

func TextColumn(name string) ColumnDefinition

TextColumn is a helper for defining columns containing strings.

type ColumnType

type ColumnType string

ColumnType is a strongly typed representation of the data type string for a column definition. The named constants should be used.

type Constraint

type Constraint struct {
	Operator   Operator
	Expression string

Constraint contains both an operator and an expression that are applied as constraints in the query.

type ConstraintList

type ConstraintList struct {
	Affinity    ColumnType
	Constraints []Constraint

ConstraintList contains the details of the constraints for the given column.

type GenerateFunc

type GenerateFunc func(ctx context.Context, queryContext QueryContext) ([]map[string]string, error)

Generate returns the rows generated by the table. The ctx argument should be checked for cancellation if the generation performs a substantial amount of work. The queryContext argument provides the deserialized JSON query context from osquery.

type Operator

type Operator int

Operator is an enum of the osquery operators.

type Plugin

type Plugin struct {
	// contains filtered or unexported fields

func NewPlugin

func NewPlugin(name string, columns []ColumnDefinition, gen GenerateFunc) *Plugin

func (*Plugin) Call

func (*Plugin) Name

func (t *Plugin) Name() string

func (*Plugin) Ping

func (t *Plugin) Ping() osquery.ExtensionStatus

func (*Plugin) RegistryName

func (t *Plugin) RegistryName() string

func (*Plugin) Routes

func (*Plugin) Shutdown

func (t *Plugin) Shutdown()

type QueryContext

type QueryContext struct {
	// Constraints is a map from column name to the details of the
	// constraints on that column.
	Constraints map[string]ConstraintList

QueryContext contains the constraints from the WHERE clause of the query, that can optionally be used to optimize the table generation. Note that the osquery SQLite engine will perform the filtering with these constraints, so it is not mandatory that they be used in table generation.

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL