cloudquery powered by Osquery

Build CodeQL Go Report Card FOSSA Status Contributor Covenant

cloudquery powered by Osquery

cloudquery is Osquery extension to fetch cloud telemetry from AWS, GCP, and Azure. It is extensible so that one can add support for new tables easily, and configurable so that one can change the table schema as well.

Contents

Build and test extension

Build

  • Install prerequisites
  • Set environment variable for extension home (it shoud be path-to-repo/cloudquery/extension) 
    export CLOUDQUERY_EXT_HOME=/home/user/work/cloudquery/extension
  • Build the extension: 
    make

Test

With osqueryi

  • Copy extension configuration sample file: 
    cp ${CLOUDQUERY_EXT_HOME}/extension_config.json.sample ${CLOUDQUERY_EXT_HOME}/config/extension_config.json
  • Edit ${CLOUDQUERY_EXT_HOME}/config/extension_config.json with your cloud accounts. You can add multiple accounts for each cloud provider. Change logging path and other parameters to suit your needs. Make sure log path is writable.
  • Start osqueryi 
    osqueryi --nodisable_extensions --extension ${CLOUDQUERY_EXT_HOME}/../cloudquery
  • Query data: 
    SELECT account_id, region_code, image_id, image_type FROM aws_ec2_image;

With osqueryd

  • Build and install cloudquery: 
    make build
sudo make install
  • Edit (or create) /etc/osquery/extensions.load file and append the following line: /usr/local/bin/cloudquery.ext
  • Edit /opt/cloudquery/config/extension_config.json with your cloud accounts. You can add multiple accounts for each cloud provider. Change logging path and other parameters to suit your needs.
  • Add following flags to /etc/osquery/osquery.flags (your flag file path could be different)
--extensions_autoload=/etc/osquery/extensions.load
--disable_extensions=false
  • Restart osquery service: 
    sudo service osqueryd restart

Test with docker

Setup credentials

Setup credentials before proceeding to testing with osqueryi or osqueryd

  • Create a config directory on the host to hold the credentials for your cloud accounts (~/config is an example, but this could be any directory).

  • Make a copy of extension_config.json.sample as extension_config.json in a directory called config (can be anywhere on your machine)

  • Copy cloud credentials to the config directory

    • For AWS: $HOME/.aws/credentials
    • For GCP: your-serviceAccount.json or any JSON file that contains GCP credentials
    • For Azure: my.auth or any file that holds Azure credentials

  • If using AWS cloud, update the following fields in aws section in config/extension_config.json file:

  • If using Google cloud, update keyFile in gcp section in extension_config.json file. It should be changed to /opt/cloudquery/etc/config/your-serviceAccount.json where your-serviceAccount.json is the JSON key file that contains GCP credentials

  • If using Azure, update the following fields in azure section in extension_config.json file:

Run osqueryi inside cloudquery container

docker run --rm -it --name cloudquery \
  -v <absolute path to host config directory>:/opt/cloudquery/etc/config \
  uptycs/cloudquery:latest \
  osqueryi --extension /usr/local/bin/cloudquery.ext

Run osqueryd from cloudquery container

Following files and directories can be mounted from the host:

  • /opt/cloudquery/logs - Directory that contains the logs
  • /opt/cloudquery/etc/osquery.flags - Osquery flags file
  • /opt/cloudquery/etc/osquery.conf - Osquery configuration JSON file
  • /opt/cloudquery/etc/config - Directory that contains Cloud provider credentials and cloudquery configuration JSON

Sample Osquery configuration with scheduled queries that can be overwritten via osquery.conf:

{
  "schedule": {
    "gcp_compute_network": {
      "query": "SELECT * FROM gcp_compute_network;",
      "interval": 120
    },
    "aws_s3_bucket": {
      "query": "SELECT * FROM aws_s3_bucket;",
      "interval": 120
    },
    "azure_compute_vm": {
      "query": "SELECT * FROM azure_compute_vm;",
      "interval": 120
    }
  }
}
docker run --rm -d --name cloudquery \
  -v <absolute path to host config directory>:/opt/cloudquery/etc/config \
  uptycs/cloudquery:latest

Supported tables

Owner
Uptycs Inc
Uptycs Inc
Uptycs Inc
https://github.com/Uptycs/cloudquery
Comments
  • AWS RDS cluster Table is added

    AWS RDS cluster Table is added

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    Describe the purpose of this PR along with any background information and the impacts of the proposed change.

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Describe the testing done. Setup required for testing. Details of unit or other tests added as a part of the PR.

  • Multiple Account Credentials

    Multiple Account Credentials

    Was wondering if there is a way to configure access to multiple accounts without using access keys (for AWS)?

    Attempted to create a read-only role in multiple accounts and then grant the instance running the cloudquery extension the ability to assume those other roles, however it doesnt appear to be able to assume the roles configured and only accesses its current account.

    • Read-only role configured in every account and has the cloudquery account as a trusted entity to assume the role.
    • IAM EC2 role assigned to instance allows instance to assume role from other account and read-only access to current account
    • credentials file setup as:
    [profile default]
role_arn = arn:aws:iam::xxxxxxxxxxxxxx:role/cloudquery
credential_source = Ec2InstanceMetadata

[profile other_account]
role_arn = arn:aws:iam::yyyyyyyyyyyyy:role/cloudquery
source_profile = default
  • Added rds Snapshots table in aws

    Added rds Snapshots table in aws

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    Describe the purpose of this PR along with any background information and the impacts of the proposed change.

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Describe the testing done. Setup required for testing. Details of unit or other tests added as a part of the PR.

  • Added aws_rds_instances relation

    Added aws_rds_instances relation

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    Describe the purpose of this PR along with any background information and the impacts of the proposed change.

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Describe the testing done. Setup required for testing. Details of unit or other tests added as a part of the PR.

  • ported workspaces

    ported workspaces

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, "aws_workspaces_describe_workspaces" table which has data for api "describe-workspaces" in workspace service. has been ported

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Testing done, attaching screenshots of data here

  • ported directory

    ported directory

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, "aws_directory" table which has data for api "describe-directories" in directory service. has been ported

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    tested using osqueryi.

  • Codepipeline

    Codepipeline

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, "aws_code_pipeline_list_pipeline" table which has data for api "list-pipeline" in codepipeline service. has been ported

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    tested using osqueryi.

  • Update GitHub Actions workflows

    Update GitHub Actions workflows

    • It's better to set GOPATH for fossa-cli
    • It's better to do the actual build for CodeQL

    Apart from these, I've unified the style of the workflow, but if you don't like it, I can revert it.

  • Failed to write to log, can't open new logfile: open /var/log/cloudquery.log: permission denied

    Failed to write to log, can't open new logfile: open /var/log/cloudquery.log: permission denied

    Describe the bug The console is spammed with error messages, "Failed to write to log, can't open new logfile: open /var/log/cloudquery.log: permission denied"

    To Reproduce Copy and paste the docker command from the README, adjusting for the config directory.

    Expected behavior The docker image is configured properly, or the necessary command to adjust permissions is added to the README

  • Port apigateway

    Port apigateway

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, i have ported "aws_apigateway_rest_api" table which has data for api "get-rest-apis" in apigateway service

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Tested using osqueryi.

  • aws eks table added to cloudquery

    aws eks table added to cloudquery

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    aws eks table added to cloudquery

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Describe the testing done. Setup required for testing. Details of unit or other tests added as a part of the PR.

  • feature request: support instance identity when running in the cloud provider instances

    feature request: support instance identity when running in the cloud provider instances

    AWS, GCP and Azure all support instance metadata and instance profiles

    AWS - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html GCP - https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata Azure - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=linux#managed-identity

    Each type of metadata can be used to automatically identify and configure the authentication if configured on the instance.

    The AWS SDK has support for instance profile automatically and I believe GCP and Azure have similar. This would automatically configure the cloud provider when deployed onto a cloud instance with the proper host configuration making it much easier to handle authentication and provide additional security from short lived credentials that are provided from these features.

  • Acm

    Acm

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, tables aws_acm_certificates from DescribeCertificates api and aws_acm_tag from ListTagsForCertificates have been ported for aws acm inventory

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    Tested using osqueryi

  • ported cloudfront

    ported cloudfront

    By submitting a PR to this repository, you agree to the terms within the Code of Conduct. Please see the contributing guidelines for how to create and submit a PR for this repo.

    Description

    in this pr, "aws_cloudfront_distribution" table which has data for api "list-distributions" in cloudfront service. has been ported

    References

    Include any links supporting this change such as:

    • GitHub Issue/PR number addressed or fixed
    • Related pull requests/issues from other repos

    Testing

    tested using osqueryi.

Related tags
DevOps Tools aws security azure gcp osquery-extension cloudquery
Fleet - Open source device management, built on osquery.
 Fleet - Open source device management, built on osquery.

Fleet - Open source device management, built on osquery.

Dec 30, 2022
TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative.

TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative. TriggerMesh allows you to declaratively define event flows between sources and targets as well as add even filter, splitting and processing using functions.

Dec 30, 2022
API for global CO2 measurements, powered by the Ribbit Network

Ribbit Network API (WIP) This repository contains the backend services supportin

Dec 22, 2022
Planet Scale Robotics - Offload computation-heavy robotic operations to GPU powered world's first cloud-native robotics platform.

robolaunch ?? Planet Scale Robotics - Offload computation-heavy robotic operations to GPU powered world's first cloud-native robotics platform. robola

Jan 1, 2023
CloudQuery extracts, transforms, and loads your cloud assets into normalized PostgreSQL tables.
CloudQuery extracts, transforms, and loads your cloud assets into normalized PostgreSQL tables.

The open-source cloud asset inventory backed by SQL. CloudQuery extracts, transforms, and loads your cloud assets into normalized PostgreSQL tables. C

Dec 31, 2022
kubequery is a Osquery extension that provides SQL based analytics for Kubernetes clusters

kubequery powered by Osquery kubequery is a Osquery extension that provides SQL based analytics for Kubernetes clusters kubequery will be packaged as

Dec 27, 2022
Fleet - Open source device management, built on osquery.
 Fleet - Open source device management, built on osquery.

Fleet - Open source device management, built on osquery.

Dec 30, 2022
💁‍♀️Your new best friend powered by an artificial neural network
 💁‍♀️Your new best friend powered by an artificial neural network

??‍♀️ Your new best friend Website — Documentation — Getting started — Introduction — Translations — Contributors — License ⚠️ Please check the Call f

Dec 29, 2022
A high performance NoSQL Database Server powered by Go
 A high performance NoSQL Database Server powered by Go

LedisDB Ledisdb is a high-performance NoSQL database library and server written in Go. It's similar to Redis but store data in disk. It supports many

Dec 26, 2022
Go package for fast high-level image processing powered by libvips C library

bimg Small Go package for fast high-level image processing using libvips via C bindings, providing a simple programmatic API. bimg was designed to be

Jan 2, 2023
Build cross platform GUI apps with GO and HTML/JS/CSS (powered by Electron)

Thanks to go-astilectron build cross platform GUI apps with GO and HTML/JS/CSS. It is the official GO bindings of astilectron and is powered by Electr

Jan 9, 2023
Build cross platform GUI apps with GO and HTML/JS/CSS (powered by nwjs)
 Build cross platform GUI apps with GO and HTML/JS/CSS (powered by nwjs)

gowd Build cross platform GUI apps with GO and HTML/JS/CSS (powered by nwjs) How to use this library: Download and install nwjs Install this library g

Dec 11, 2022
txtai: AI-powered search engine for Go

txtai builds an AI-powered index over sections of text. txtai supports building text indices to perform similarity searches and create extractive question-answering based systems. txtai also has functionality for zero-shot classification.

Dec 6, 2022
Personal Photo Management powered by Go and Google TensorFlow
 Personal Photo Management powered by Go and Google TensorFlow

PhotoPrism® is a privately hosted app for browsing, organizing, and sharing your photo collection. It makes use of the latest technologies to tag and find pictures automatically without getting in your way.

Dec 29, 2022
Simple webhook delivery system powered by Golang and PostgreSQL

postmand Simple webhook delivery system powered by Golang and PostgreSQL. Features Simple rest api with only three endpoints (webhooks/deliveries/deli

Dec 22, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
 A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022
A GPU-powered real-time analytics storage and query engine.
A GPU-powered real-time analytics storage and query engine.

AresDB AresDB is a GPU-powered real-time analytics storage and query engine. It features low query latency, high data freshness and highly efficient i

Jan 7, 2023
High performance unique number generator powered by Go

SEQSVR High performance unique number generator powered by Go 中文 README Features Distributed: Can be scaled horizontally High performance: Allocation

Nov 16, 2022
golang powered game engine
 golang powered game engine

Gobatch Go powered engine that offers features from low level opengl abstraction to UI framework. I created this to separate lot of logic from game am

Nov 13, 2022
A simple self-hostable Machine Translation service, powered by spaGO

A simple self-hostable Machine Translation service, powered by spaGO

Nov 9, 2022