Lib.rs

#sql-query #osquery #execute #thrift #api #version #extension

osquery-rs

This crate allows you to execute osquery SQL queries using osquery Thrift API

by AbdulRhman Alfaifi

2 releases

0.1.3 Dec 10, 2022
0.1.2 Jul 6, 2022

#3 in #osquery

MIT/Apache

105KB
2.5K SLoC

osquery-rs

This crate allows you to execute osquery SQL queries using osquery Thrift API. You can execute osquery SQL query using one of the following methods:

  • Connect to the extension socket for an existing osquery instance

  • Spawn your own osquery instance and communicate with it using its extension socket

Currently this crates only works on Linux. I am still working on Windows version.

Usage

  • Add it to your dependencies

    [dependencies]
osquery-rs = { git = "https://github.com/AbdulRhmanAlfaifi/osquery-rs"}

  • Start executing queries !

Examples

Connect to extension socket for an existing osquery instance

use osquery_rs::OSQuery;

fn main () {
    let res = OSQuery::new()
            .set_socket("/home/root/.osquery/shell.em")
            .query(String::from("select * from time"))
            .unwrap();
    println!("{:#?}", res);
}

Spawn your own osquery instance (standalone)

use osquery_rs::OSQuery;

fn main() {
    let res = OSQuery::new()
        // Specify the path to the osquery binary
        .spawn_instance("./osqueryd")
        .unwrap()
        .query(String::from("select * from time"))
        .unwrap();
    println!("{:#?}", res);
}

by default the socket path is /tmp/osquery-rs, you can change it by calling the function set_socket:

use osquery_rs::OSQuery;

fn main() {
    let res = OSQuery::new()
        .set_socket("/tmp/mysocket")
        // Specify the path to the osquery binary
        .spawn_instance("./osqueryd")
        .unwrap()
        .query(String::from("select * from time"))
        .unwrap();
    println!("{:#?}", res);
}

Dependencies

~0.7–1MB
~18K SLoC