Initial v0.1.0 commit

Add Scout Query extension with script caching and quick execution tables

Added some sample scripts to the content server for testing

Author: toliver38

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.gitignore

@@ -0,0 +1,3 @@
+*/venv/
+*.pem
+.DS_Store

README.md

@@ -0,0 +1,69 @@
+# Scout Osquery Extension
+
+**Scout** is an osquery extension that provides two powerful tables for executing and managing scripts in a secure and efficient manner.
+
+## Tables
+
+### 1. `scout_exec`
+The `scout_exec` table allows you to run hosted scripts immediately during query time. This is particularly useful for **Live Query** scenarios, where immediate execution and feedback are necessary. In future versions, this table will adopt a pub/sub execution model, allowing for asynchronous or longer-running processes to be handled in a more scalable way.
+
+### 2. `scout_cache`
+The `scout_cache` table provides visibility into scripts cached on the endpoint. By caching scripts, Scout minimizes redundant network requests and optimizes resource usage. You can query this table to check whether an endpoint already has the script you need, ensuring faster and more efficient script execution.
+
+## Security
+
+To ensure security, **all scripts must be signed**. The osquery extension is configured with a public key to verify the integrity and authenticity of the scripts before execution. This guarantees that only trusted and verified scripts can be run on your endpoints.
+
+## Running the Extension
+
+### Step 1: Compile the Extension
+Once you have compiled the Scout extension, configure it by adding a `scout` block to your osquery configuration file. You will need to specify the URL for your script server and provide a public key for script verification.
+
+- **`server_url`**: The URL where Scout will fetch scripts from.
+- **`public_key`**: The public key used to verify the integrity of the scripts.
+- **`cache_window`**: Optional - Duration for which the scripts are cached.
+- **`exec_timeout`**: Optional - Timeout for script execution.
+- **`cache_dir`**: Optional - Directory for caching scripts.
+
+```json
+ "scout": {
+	"server_url": "http://localhost:5000/scripts",
+    "public_key": "-----BEGIN PUBLIC KEY-----\n...Your New Public Key...\n-----END PUBLIC KEY-----",
+    "cache_window": 3600,
+    "exec_timeout": 60,
+    "cache_dir": "/path/to/cache"
+  }
+```
+
+### Step 2: Start a Content Server
+You can use any web server to host signed scripts. For testing purposes, a simple content server and some example scripts are provided in the `content_server` directory.
+
+To start the server:
+
+1. Go to the `content_server` directory.
+2. Run your preferred web server (e.g., Python’s built-in server):
+
+```bash
+cd content_server
+pip install -r requirements.txt
+python script_server.py
+```
+
+Place any scripts you want to serve to clients in the scripts directory.
+
+### Step 3: Run the Extension with Osquery
+
+After setting up the server, you can run osquery with the Scout Query extension to start executing and caching scripts.
+
+```bash
+./build.sh
+osqueryi --extension bin/scout-query-darwin-arm64.ext --allow-unsafe
+```
+
+### Future Development
+
+Scout Query  is still in early development. The aim of this project is to allow for quick retrieval of data in a similar table format to existing osquery tables, securely distribute scripts around the network, and safely execute them. It includes some optional configs to limit the risk of long-running processes and denial of service on the download side.
+
+There is a level of caching that takes place at the endpoint with signature verification and checks should the hosted content change or someone tamper with the local cached files.
+
+We’re open to collaboration and would love to explore new use cases. If you find the Scout Query helpful or have any suggestions, feel free to reach out!

bin/README.md

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+OUTPUT_DIR="../bin"
+SCOUT_DIR="scout-query"
+
+cd $SCOUT_DIR || { echo "Directory $SCOUT_DIR not found. Aborting."; exit 1; }
+
+platforms=("windows/amd64" "darwin/amd64" "darwin/arm64" "linux/amd64" "linux/arm64")
+
+for platform in "${platforms[@]}"
+do
+	platform_split=(${platform//\// })
+	GOOS=${platform_split[0]}
+	GOARCH=${platform_split[1]}
+	output_name=$OUTPUT_DIR/scout-query-$GOOS-$GOARCH
+
+	if [ "$GOOS" == "windows" ]; then
+		output_name+='.ext.exe'
+	else
+		output_name+='.ext'
+	fi
+
+  	env GOOS=$GOOS GOARCH=$GOARCH go build -ldflags "-w -X main.Version=0.1.0" -o $output_name 2> build_error.log
+	if [ $? -ne 0 ]; then
+		echo "An error occurred while building for $GOOS/$GOARCH. Aborting..."
+		cat build_error.log
+		exit 1
+	fi
+done
+
+rm -f build_error.log

build.sh

@@ -0,0 +1,190 @@
+from flask import Flask, make_response, abort, jsonify
+import os
+import requests
+import hashlib
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from flask_caching import Cache
+
+# Configuration
+USE_GITHUB = os.environ.get('USE_GITHUB', '0') == '1'
+GITHUB_RAW_BASE_URL = "https://raw.githubusercontent.com/huntbase-io/scout-content/main"
+ALLOWED_OS_DIRS = ["windows", "linux", "darwin"]
+
+# Local directories (used when USE_GITHUB=0)
+SCRIPTS_DIR = os.path.join(os.getcwd(), 'scripts')
+BIN_DIR = os.path.join(os.getcwd(), 'bin')
+
+app = Flask(__name__)
+
+# Configure caching (mainly for GitHub fetching)
+app.config['CACHE_TYPE'] = 'SimpleCache'  # for production consider Redis or Memcached
+app.config['CACHE_DEFAULT_TIMEOUT'] = 300
+cache = Cache(app)
+
+# Load the private key
+with open('private_key.pem', 'rb') as f:
+    private_key = serialization.load_pem_private_key(
+        f.read(),
+        password=None,
+    )
+
+
+# ---------- Helper Functions ----------
+@cache.memoize(timeout=300)
+def fetch_from_github(path):
+    """
+    Fetch content from GitHub raw URL. Returns content or None if not found.
+    """
+    url = f"{GITHUB_RAW_BASE_URL}/{path}"
+    response = requests.get(url)
+    if response.status_code == 200:
+        return response.content
+    return None
+
+
+def get_local_file_content(root_dir, filename):
+    """
+    Get content from a local file. Returns content or None if not found.
+    """
+    file_path = os.path.join(root_dir, filename)
+    if not os.path.isfile(file_path):
+        return None
+    with open(file_path, 'rb') as f:
+        return f.read()
+
+
+def get_script_content(os_dir, filename):
+    """
+    Get script content either from GitHub or locally, depending on USE_GITHUB.
+    If GitHub fails or USE_GITHUB=0, fallback to local if desired.
+    """
+    # Validate OS directory if provided
+    if os_dir and os_dir not in ALLOWED_OS_DIRS:
+        return None
+
+    # Construct path
+    if os_dir:
+        path = f"scripts/{os_dir}/{filename}"
+        local_path = os.path.join(SCRIPTS_DIR, os_dir, filename)
+    else:
+        path = f"scripts/{filename}"
+        local_path = os.path.join(SCRIPTS_DIR, filename)
+
+    content = None
+    if USE_GITHUB:
+        # Try to fetch from GitHub
+        content = fetch_from_github(path)
+        # If not found on GitHub, we could optionally fallback to local:
+        # if content is None:
+        #     content = get_local_file_content(os.path.join(SCRIPTS_DIR, os_dir) if os_dir else SCRIPTS_DIR, filename)
+    else:
+        # Local only
+        content = get_local_file_content(os.path.join(SCRIPTS_DIR, os_dir) if os_dir else SCRIPTS_DIR, filename)
+
+    return content
+
+
+def get_bin_content(filename):
+    """
+    Get binary content either from GitHub or locally.
+    """
+    path = f"bin/{filename}"
+    if USE_GITHUB:
+        content = fetch_from_github(path)
+        # If desired, fallback to local if GitHub not found:
+        # if content is None:
+        #     content = get_local_file_content(BIN_DIR, filename)
+    else:
+        content = get_local_file_content(BIN_DIR, filename)
+    return content
+
+
+def sign_content(content):
+    """
+    Sign the given content using the private key.
+    """
+    signature = private_key.sign(
+        content,
+        padding.PKCS1v15(),
+        hashes.SHA256()
+    )
+    return signature.hex()
+
+def compute_hash(content):
+    """
+    Compute SHA256 hash of the content.
+    """
+    hasher = hashlib.sha256()
+    hasher.update(content)
+    return hasher.hexdigest()
+
+
+# ---------- Routes ----------
+
+@app.route('/bin/<path:filename>', methods=['GET'])
+def serve_bin(filename):
+    content = get_bin_content(filename)
+    if content is None:
+        abort(404, description="Binary not found")
+
+    signature_hex = sign_content(content)
+    response = make_response(content)
+    response.headers['Content-Type'] = 'application/octet-stream'
+    response.headers['X-Signature'] = signature_hex
+    return response
+
+
+@app.route('/scripts/<path:filename>', methods=['GET'])
+def serve_script_no_os(filename):
+    # This route is for scripts without OS directory specification
+    content = get_script_content(None, filename)
+    if content is None:
+        abort(404, description="Script not found")
+
+    signature_hex = sign_content(content)
+    response = make_response(content)
+    response.headers['Content-Type'] = 'application/octet-stream'
+    response.headers['X-Signature'] = signature_hex
+    return response
+
+
+@app.route('/scripts/<os_dir>/<path:filename>', methods=['GET'])
+def serve_script(os_dir, filename):
+    # Validate OS directory and fetch the script
+    content = get_script_content(os_dir, filename)
+    if content is None:
+        abort(404, description="Script not found")
+
+    signature_hex = sign_content(content)
+    response = make_response(content)
+    response.headers['Content-Type'] = 'application/octet-stream'
+    response.headers['X-Signature'] = signature_hex
+    return response
+
+
+@app.route('/scripts/hash/<path:filename>', methods=['GET'])
+def get_script_hash_no_os(filename):
+    content = get_script_content(None, filename)
+    if content is None:
+        abort(404, description="Script not found")
+
+    script_hash = compute_hash(content)
+    return jsonify({"script_hash": script_hash})
+
+
+@app.route('/scripts/hash/<os_dir>/<path:filename>', methods=['GET'])
+def get_script_hash(os_dir, filename):
+    content = get_script_content(os_dir, filename)
+    if content is None:
+        abort(404, description="Script not found")
+
+    script_hash = compute_hash(content)
+    return jsonify({"script_hash": script_hash})
+
+
+if __name__ == '__main__':
+    # Run the app
+    # Set the USE_GITHUB=1 environment variable before running if you want GitHub fetching
+    # Example: USE_GITHUB=1 python unified_app.py
+    app.run(host='127.0.0.1', port=5000)

content_server/app.py

@@ -0,0 +1,5 @@
+cryptography==44.0.0
+Flask==3.1.0
+Flask_Caching==2.3.0
+psutil==6.1.1
+Requests==2.32.3

content_server/requirements.txt

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Ensure the script is run as root (mimicking the given example's behavior)
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root"
+   exit 1
+fi
+
+# Set the directory for the default Chrome profile
+EXT_DIR="$HOME/Library/Application Support/Google/Chrome/Default/Extensions"
+
+# Ensure jq is installed
+if ! command -v jq &> /dev/null; then
+    echo "jq is not installed. Please install it (e.g., brew install jq) and run again."
+    exit 1
+fi
+
+# Check if the Chrome Extensions directory exists
+if [ ! -d "$EXT_DIR" ]; then
+    echo "Chrome Extensions directory not found at: $EXT_DIR"
+    exit 1
+fi
+
+# Iterate over each extension directory
+for EXT_ID in "$EXT_DIR"/*; do
+    if [ -d "$EXT_ID" ]; then
+        EXT_ID_NAME=$(basename "$EXT_ID")
+        
+        # Find the latest version directory by sorting versions and selecting the last
+        LATEST_VERSION_DIR=$(ls "$EXT_ID" | sort -V | tail -n 1)
+        MANIFEST="$EXT_ID/$LATEST_VERSION_DIR/manifest.json"
+
+        if [ -f "$MANIFEST" ]; then
+            # Extract name and version from manifest.json
+            NAME=$(jq -r '.name // "unknown_name"' "$MANIFEST")
+            VERSION=$(jq -r '.version // "unknown_version"' "$MANIFEST")
+        else
+            NAME="unknown_name"
+            VERSION="unknown_version"
+        fi
+
+        # Print the extension info in a single row with lowercase field names and underscores
+        echo -e "\"name\": \"$NAME\", \"version\": \"$VERSION\", \"extension_id\": \"$EXT_ID_NAME\""
+    fi
+done

content_server/scripts/darwin/chrome_extensions.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Ensure the script is run as root
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root"
+   exit 1
+fi
+
+# Print column names
+echo -e "\"device\", \"link_speed\""
+
+# Read the output of networksetup and process each Hardware Port block
+networksetup -listallhardwareports | while IFS= read -r line; do
+    if [[ "$line" == "Hardware Port:"* ]]; then
+        # Extract Hardware Port name (optional, not used in this format)
+        hardware_port=$(echo "$line" | awk -F": " '{print $2}')
+    elif [[ "$line" == "Device:"* ]]; then
+        # Extract Device identifier (e.g., en0, en1)
+        device=$(echo "$line" | awk -F": " '{print $2}')
+        
+        # Retrieve the media status for the device
+        link_speed=$(networksetup -getMedia "$device" 2>/dev/null | awk -F": " '{print $2}' | tr '\n' ' ' | sed 's/ $//')
+        
+        # If link_speed is empty, set it to "unknown"
+        if [ -z "$link_speed" ]; then
+            link_speed="unknown"
+        fi
+        
+        # Output the device and link speed in a single row with lowercase field names and underscores
+        echo -e "\"device\": \"$device\", \"link_speed\": \"$link_speed\""
+    fi
+done