Add SpawnInstance API

Author: Teddy Reed

examples/spawn.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+"""
+simple script which runs a query from the command-line by spawning osqueryd
+"""
+
+import sys
+import osquery
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: %s \"query\"" % sys.argv[0])
+        sys.exit(1)
+    INSTANCE = osquery.SpawnInstance()
+    INSTANCE.open()
+    RESULTS = INSTANCE.client.query(sys.argv[1])
+    if RESULTS.status.code != 0:
+        print("Error running the query: %s" % RESULTS.status.message)
+        sys.exit(1)
+
+    for row in RESULTS.response:
+        print("=" * 80)
+        for key, val in row.iteritems():
+            print("%s => %s" % (key, val))
+    if len(RESULTS.response) > 0:
+        print("=" * 80)

osquery/__init__.py

@@ -4,7 +4,7 @@
 """
 
 __title__ = "osquery"
-__version__ = "1.4.5"
+__version__ = "1.5.3"
 __author__ = "osquery developers"
 __license__ = "BSD"
 __copyright__ = "Copyright 2015 Facebook"
@@ -23,6 +23,7 @@
     "register_plugin",
     "start_extension",
     "Singleton",
+    "SpawnInstance",
     "STRING",
     "TableColumn",
     "TablePlugin",
@@ -32,8 +33,8 @@
 from osquery.extension_client import DEFAULT_SOCKET_PATH, ExtensionClient
 from osquery.extension_manager import ExtensionManager
 from osquery.logger_plugin import LoggerPlugin
-from osquery.management import deregister_extension, parse_cli_params, \
-    register_plugin, start_extension
+from osquery.management import SpawnInstance, \
+    deregister_extension, parse_cli_params, register_plugin, start_extension
 from osquery.plugin import BasePlugin
 from osquery.singleton import Singleton
 from osquery.table_plugin import INTEGER, STRING, TableColumn, TablePlugin

osquery/management.py

@@ -9,7 +9,12 @@
 from __future__ import unicode_literals
 
 import argparse
+import shutil
 import socket
+import subprocess
+import sys
+import tempfile
+import time
 
 from thrift.protocol import TBinaryProtocol
 from thrift.server import TServer
@@ -21,6 +26,98 @@
 from osquery.extension_client import ExtensionClient, DEFAULT_SOCKET_PATH
 from osquery.extension_manager import ExtensionManager
 
+DARWIN_BINARY_PATH = "/usr/local/bin/osqueryd"
+LINUX_BINARY_PATH = "/usr/bin/osqueryd"
+
+class SpawnInstance(object):
+    """Spawn a standalone osquery instance"""
+
+    """The osquery process instance."""
+    instance = None
+    """The extension client connection attached to the instance."""
+    connection = None
+    _socket = None
+
+    def __init__(self, path=None):
+        """
+        Keyword arguments:
+        path -- the path to and osqueryd binary to spawn
+        """
+        if path is None:
+            # Darwin is special and must have binaries installed in /usr/local.
+            if sys.platform == "darwin":
+                self.path = DARWIN_BINARY_PATH
+            else:
+                self.path = LINUX_BINARY_PATH
+        else:
+            self.path = path
+        self._socket = tempfile.mkstemp(prefix="pyosqsock")
+        self._pidfile = tempfile.mkstemp(prefix="pyosqpid")
+        with open(self._pidfile[1], "w") as fh:
+            fh.write("100000")
+        self._dbpath = tempfile.mkdtemp(prefix="pyoqsdb")
+
+    def __del__(self):
+        if self.connection is not None:
+            self.connection.close()
+        if self.instance is not None:
+            self.instance.kill()
+            shutil.rmtree(self._dbpath)
+            self.instance.wait()
+
+    def open(self, timeout=2, interval=0.01):
+        """
+        Start the instance process and open an extension client
+
+        Keyword arguments:
+        timeout -- maximum number of seconds to wait for client
+        interval -- seconds between client open attempts
+        """
+        proc = [
+            self.path,
+            "--extensions_socket",
+            self._socket[1],
+            "--database_path",
+            # This is a temporary directory, there is not FD tuple.
+            self._dbpath,
+            "--pidfile",
+            self._pidfile[1],
+            "--disable_watchdog",
+            "--disable_logging",
+            "--config_path",
+            "/dev/null",
+        ]
+        self.instance = subprocess.Popen(proc,
+            stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE)
+        self.connection = ExtensionClient(path=self._socket[1])
+        if not self.is_running():
+            raise Exception("Cannot start process from path: %s" % (self.path))
+
+        # Attempt to open the extension client.
+        delay = 0
+        while delay < timeout:
+            try:
+                self.connection.open()
+                return
+            except:
+                time.sleep(interval)
+                delay += interval
+        self.instance.kill()
+        self.instance = None
+        raise Exception("Cannot open socket: %s" % (self._socket[1]))
+
+    def is_running(self):
+        """Check if the instance has spawned."""
+        if self.instance is None:
+            return False
+        return self.instance.poll() is None
+
+    @property
+    def client(self):
+        """The extension client."""
+        return self.connection.extension_manager_client()
+
 def parse_cli_params():
     """Parse CLI parameters passed to the extension executable"""
     parser = argparse.ArgumentParser(description=(