Documentation
¶
Overview ¶
Package table creates an osquery table plugin.
Index ¶
- Constants
- type ColumnDefinition
- type ColumnOptions
- type ColumnType
- type Constraint
- type ConstraintList
- type DeleteFunc
- type GenerateFunc
- type InsertFunc
- type Operator
- type Plugin
- func (t *Plugin) Call(ctx context.Context, request osquery.ExtensionPluginRequest) osquery.ExtensionResponse
- func (t *Plugin) Name() string
- func (t *Plugin) Ping() osquery.ExtensionStatus
- func (t *Plugin) RegistryName() string
- func (t *Plugin) Routes() osquery.ExtensionPluginResponse
- func (t *Plugin) Shutdown()
- type QueryContext
- type UpdateFunc
Constants ¶
const ( ColumnTypeText ColumnType = "TEXT" ColumnTypeInteger = "INTEGER" ColumnTypeBigInt = "BIGINT" ColumnTypeDouble = "DOUBLE" )
The following column types are defined in osquery tables.h.
const ( // DEFAULT means no special column options. DEFAULT ColumnOptions = iota // 0 // INDEX treats this column as a primary key. INDEX = iota // 1 // REQUIRED column MUST be included in the query predicate. REQUIRED = iota // 2 // ADDITIONAL column is used to generate additional information. ADDITIONAL = iota + 1 // 3 + 1 // OPTIMIZED column can be used to optimize the query. OPTIMIZED = iota + 4 // 4 + 4 // HIDDEN column should be hidden from '*” selects. HIDDEN = iota + 11 // 5 + 11 )
const ( OperatorEquals Operator = 2 OperatorGreaterThan = 4 OperatorLessThanOrEquals = 8 OperatorLessThan = 16 OperatorGreaterThanOrEquals = 32 OperatorMatch = 64 OperatorLike = 65 OperatorGlob = 66 OperatorRegexp = 67 OperatorUnique = 1 )
The following operators are dfined in osquery tables.h.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ColumnDefinition ¶
type ColumnDefinition struct {
Name string
Type ColumnType
Op ColumnOptions
}
ColumnDefinition defines the relevant information for a column in a table plugin. Both values are mandatory. Prefer using the *Column helpers to create ColumnDefinition structs.
func BigIntColumn ¶
func BigIntColumn(name string, options ...ColumnOptions) ColumnDefinition
BigIntColumn is a helper for defining columns containing big integers.
func DoubleColumn ¶
func DoubleColumn(name string, options ...ColumnOptions) ColumnDefinition
DoubleColumn is a helper for defining columns containing floating point values.
func IntegerColumn ¶
func IntegerColumn(name string, options ...ColumnOptions) ColumnDefinition
IntegerColumn is a helper for defining columns containing integers.
func TextColumn ¶
func TextColumn(name string, options ...ColumnOptions) ColumnDefinition
TextColumn is a helper for defining columns containing strings.
type ColumnType ¶
type ColumnType string
ColumnType is a strongly typed representation of the data type string for a column definition. The named constants should be used.
type Constraint ¶
Constraint contains both an operator and an expression that are applied as constraints in the query.
type ConstraintList ¶
type ConstraintList struct {
Affinity ColumnType
Constraints []Constraint
}
ConstraintList contains the details of the constraints for the given column.
type DeleteFunc ¶ added in v0.8.0
DeleteFunc is optional implementation that can be used to implement delete SQL semantics
type GenerateFunc ¶
GenerateFunc returns the rows generated by the table. The ctx argument should be checked for cancellation if the generation performs a substantial amount of work. The queryContext argument provides the deserialized JSON query context from osquery.
type InsertFunc ¶ added in v0.8.0
type InsertFunc func(ctx context.Context, autoRowId bool, row []interface{}) ([]map[string]string, error)
InsertFunc is optional implementation that can be used to implement insert SQL semantics
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin structure holds the plugin details.
func NewMutablePlugin ¶ added in v0.8.0
func NewMutablePlugin(name string, columns []ColumnDefinition, gen GenerateFunc, ins InsertFunc, upd UpdateFunc, del DeleteFunc) *Plugin
NewMutablePlugin is helper method to create mutable plugin structure.
func NewPlugin ¶
func NewPlugin(name string, columns []ColumnDefinition, gen GenerateFunc) *Plugin
NewPlugin is helper method to create plugin structure.
func (*Plugin) Call ¶
func (t *Plugin) Call(ctx context.Context, request osquery.ExtensionPluginRequest) osquery.ExtensionResponse
Call is invoked to generate the table contents or to get the column details.
func (*Plugin) Ping ¶
func (t *Plugin) Ping() osquery.ExtensionStatus
Ping returns static OK response.
func (*Plugin) RegistryName ¶
RegistryName returns the plugin type, which is always "table" for table plugin.
func (*Plugin) Routes ¶
func (t *Plugin) Routes() osquery.ExtensionPluginResponse
Routes returns the table columns definitions.
type QueryContext ¶
type QueryContext struct {
// Constraints is a map from column name to the details of the
// constraints on that column.
Constraints map[string]ConstraintList
}
QueryContext contains the constraints from the WHERE clause of the query, that can optionally be used to optimize the table generation. Note that the osquery SQLite engine will perform the filtering with these constraints, so it is not mandatory that they be used in table generation.
Source Files