A collection of Go-based osquery extensions for Fleet and osquery, providing additional tables and integrations for Linux, macOS, and Windows systems.
| Extension | Description | Platform(s) |
|---|---|---|
| snap_packages | Snap package information as a native osquery table | Linux |
| macos_compatibility | macOS hardware/software compatibility table | macOS |
| santa | Santa binary authorization rules and decisions | macOS |
| system_profiler | macOS system profiler information as a native table | macOS |
| nuget_packages | NuGet package search results as a native osquery table | macOS, Windows |
| brew_list | Homebrew package information as a native osquery table | macOS, Linux |
- Description: Provides snap package information as a native osquery table.
- Platforms: Linux
- Binaries:
snap_packages-amd64.ext,snap_packages-arm64.ext - Installation: Automated install script available for Ubuntu systems
- Description: Shows the compatibility of Mac hardware with the latest macOS versions.
- Platforms: macOS (Intel and Apple Silicon)
- Binaries:
macos_compatibility-x86_64.ext,macos_compatibility-arm64.ext,macos_compatibility.ext
- Description: Exposes Santa binary authorization rules, decision logs, and status information as native osquery tables.
- Platforms: macOS (Intel and Apple Silicon)
- Binaries:
santa-x86_64.ext,santa-arm64.ext,santa.ext - Tables:
santa_rules,santa_allowed,santa_denied,santa_status
- Description: Provides macOS system profiler information as a native osquery table.
- Platforms: macOS (Intel and Apple Silicon)
- Binaries:
system_profiler-x86_64.ext,system_profiler-arm64.ext,system_profiler.ext
- Description: Provides NuGet package search results as a native osquery table. Runs
nuget searchand parses the output. - Platforms: macOS (Intel and Apple Silicon), Windows (amd64, arm64)
- Binaries:
nuget_packages-x86_64.ext,nuget_packages-arm64.ext,nuget_packages.ext,nuget_packages-amd64.exe,nuget_packages-arm64.exe
- Description: Provides Homebrew package information as a native osquery table. Lists installed packages with versions, installation paths, and package types (cask vs formula).
- Platforms: macOS (Intel and Apple Silicon), Linux (with Linuxbrew)
- Binaries:
brew_list.ext - Tables:
brew_list
This repository uses GitHub Actions to automatically build and release extensions when changes are pushed to the main branch. Each extension has its own workflow that:
- Triggers on changes to the extension's directory in the
mainbranch - Builds binaries for all supported platforms
- Creates a GitHub release with the tag
latest - Uploads the appropriate binaries as release assets
Extensions can also be built manually using the instructions below.
Each extension is self-contained in its own directory. To build an extension:
- Navigate to the extension directory (e.g.,
cd snap_packages) - Install dependencies:
make deps
- Build the extension:
- For macOS extensions (
macos_compatibility,santa,system_profiler,nuget_packages,brew_list):This produces:make build
- A universal binary:
<extension>.ext(works on both Intel and Apple Silicon Macs) - Architecture-specific binaries:
<extension>-x86_64.ext(Intel),<extension>-arm64.ext(Apple Silicon)
- A universal binary:
- For Linux extension (
snap_packages):This produces:make build
snap_packages-amd64.ext(for x86_64/amd64 Linux)snap_packages-arm64.ext(for ARM64 Linux)
- For Cross-platform extension (
brew_list):This produces:make build
brew_list.ext(works on macOS and Linux with Homebrew/Linuxbrew)
- For Windows extension (
nuget_packages):This produces:make windows
nuget_packages-amd64.exe(for 64-bit Intel/AMD Windows)nuget_packages-arm64.exe(for 64-bit ARM Windows)
- For macOS extensions (
Extensions can be used with Fleet or standard osquery:
sudo orbit shell -- --extension <extension_name>.ext --allow-unsafeosqueryi --extension=/path/to/<extension_name>.extSee each extension's README for table schemas, example queries, and more details.
This project is licensed under the same terms as the parent project. See LICENSE for details.