I'm building an osquery extension using osquery-go which is providing a virtual table into osqueryi. My table requires a WHERE clause on a specific field to generate a result. Where do I put the specifications of my table?
As stated on osquery's documentation, specs are usually provided in the specs source folder. But for an extension, I cannot figure out how to do it.
I used the example provided on osquery-go as a starting point, it works pretty well. I'm also able to filter the input with the constraints but I'd like to get a warning, not the absence of result:
func MyTableGenerate(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
if cnstList, present := queryContext.Constraints["field1"]; present {
// If 'field1' is present in queryContext.Contraints's keys
// translate: if 'field1' is in the WHERE clause
for _, cnst := range cnstList.Constraints {
if cnst.Operator == table.OperatorEquals {
out, err := SomeExternalFn(cnst.Expression)
return []map[string]string{
{
"field1": cnst.Expression,
"field2": out,
"field3": err,
},
}, nil
}
}
}
return nil, errors.New("Query to table MyTable must have a WHERE clause on 'field1'")
}
In osqueryi:
osquery> select * from MyTable;
osquery> select * from MyTable where field1="foo";
+--------+--------+--------+
| field1 | field2 | field3 |
+--------+--------+--------+
| foo | foobar | foobaz |
+--------+--------+--------+
What I seek:
osquery> select * from file;
W0618 11:50:58.840874 7252 virtual_table.cpp:991] Table file was queried without a required column in the WHERE clause
W0618 11:50:58.841397 7252 virtual_table.cpp:1002] Please see the table documentation: https://osquery.io/schema/#file
