Getting started with osquery development on Linux using CLion and QtCreator

Here’s a quick how-to to answer a question that was posted in the osquery Slack.

Setting up the base development environment

What follows is just a TLDR containing the bare minimum to get to the second part of the post. The osquery project has a lot of good documentation that you should really check out.

Prerequisites

osquery can be run pretty much on any distribution, but for development I’d suggest to go with Ubuntu. The bootstrap procedure will take care of everything, but you will at least need the following packages installed: sudo, make, python, ruby, bash (your login shell doesn’t matter) and of course git.

Getting the source and initializing the environment

  1. Clone the repository: git clone https://github.com/facebook/osquery.git.
  2. Boostrap the environment: make sysprep

The bootstrap procedure will actually perform the following tasks:

  • Updating the system
  • Installing required packages from the repository
  • Initialize the third-party git submodule referenced by the CMake project
  • Install the osquery toolchain and the required libraries inside /usr/local/osquery using Linuxbrew

Using CMake without the Makefile wrapper

When running the make command, the provided Makefile will set a couple of environment variables that CMake will in turn automatically pick up when it is launched to configure the project.

export PATH="/usr/local/osquery/bin:${PATH}"

export DEPS_DIR="/usr/local/osquery"
export LDFLAGS="-L${DEPS_DIR}/legacy/lib -L${DEPS_DIR}/lib -B${DEPS_DIR}/legacy/lib -rtlib=compiler-rt -fuse-ld=lld"

export CC="${DEPS_DIR}/bin/clang"
export CXX="${DEPS_DIR}/bin/clang++"

If everything is working as intended, you should now be able to compile the project without calling make:

$ mkdir osquery-build
$ cd osquery-build
$ cmake ../osquery
$ cmake --build . --config Release -- -j `nproc`

Setting up the IDE

QtCreator

Open the Options dialog from the Tools menu, then adjust each page. Make sure to always select Apply, or the new settings will not show up in the next page.

CMake page

Add the CMake binary from /usr/local/osquery/bin/cmake and name it osquery CMake. Make sure to also enable Autorun CMake and Auto-create build directories.

Compilers page

Add the C++ and C Clang binaries located inside /usr/local/osquery/bin:

Name: osquery Clang (C), osquery Clang (C++)
Compiler path: /usr/local/osquery/bin/clang, /usr/local/osquery/bin/clang++
Platform linker flags: -L/usr/local/osquery/legacy/lib -L/usr/local/osquery/lib -B/usr/local/osquery/legacy/lib -rtlib=compiler-rt -fuse-ld=lld

Kits page

Name: osquery
Compiler: select the compilers we just added.
CMake tool: select the CMake binary we just added.

Environment: Use the following snippet

CC=/usr/local/osquery/bin/clang
CXX=/usr/local/osquery/bin/clang++
LDFLAGS="-L/usr/local/osquery/legacy/lib -L/usr/local/osquery/lib -B/usr/local/osquery/legacy/lib -rtlib=compiler-rt -fuse-ld=lld"
PATH=/usr/local/osquery/bin:${PATH}

Opening the osquery project

You should now be able to directly open the root CMakeLists.txt file.

Here’s a couple of additional tweaks you can apply once you have opened the project:

Open the Build page inside the Projects settings and then: 1. Add -j <cpu count> under Build Steps, Tool arguments 2. Add SKIP_BENCHMARKS=1 and/or SKIP_TESTS=1 under Build Environment

Additional notes

By default QtCreator uses CMake to display the project files; you can change this using the combo box at the top left corner, above the explorer. I like to use the File System, OSQUERY view. You can also disable the bread crumbs if you click on the filter icon.

Using the clang model

The Clang model plugin can be enabled from the Help, About Plugins dialog. Keep in mind that while it’s more advanced than the standard one, it is also hard to make it work reliably.

The osquery toolchain is unusual, as it doesn’t really work on its own; we need to be able to specify some additional settings, and to do so we have to define the QTC_CLANG_NO_DIAGNOSTIC_CHECK=1 environment variable and restart QtCreator.

To configure the code model, to open the Projects, Clang Code Model page and select Custom in the selector located at the top of the screen. Copy the default profile and name it osquery.

The following are my settings:

-Weverything -Wno-c++98-compat -Wno-c++98-compat-pedantic -Wno-unused-macros -Wno-newline-eof -Wno-exit-time-destructors -Wno-global-constructors -Wno-gnu-zero-variadic-macro-arguments -Wno-documentation -Wno-shadow -Wno-switch-enum -Wno-missing-prototypes -Wno-used-but-marked-unused -march=x86-64 -mno-avx -I/usr/local/osquery/legacy/include -I/usr/local/osquery/include -I/usr/local/osquery/include/c++/v1 -I/usr/local/osquery/legacy/include -I/usr/local/osquery/include -I/usr/local/osquery/lib/clang/6.0.0/include

CLion

First of all, configure the variables:

  1. Open the CMakeLists.txt file and select Open as Project.
  2. Open the Settings dialog from the File menu, and then click on CMake under Build, Execution, Deployment.
  3. Click on the small folder icon on the right of the Environment input field.
Variable Value
LDFLAGS -L/usr/local/osquery/legacy/lib -L/usr/local/osquery/lib -B/usr/local/osquery/legacy/lib -rtlib=compiler-rt -fuse-ld=lld
CXX /usr/local/osquery/bin/clang++
CC /usr/local/osquery/bin/clang
PATH /usr/local/osquery/bin:<YOUR_ORIGINAL_PATH>

You should now reset your CMake cache and select the all target:

  1. Click on Reset Cache and Reload Project from the Tools, CMake menu.
  2. Select Build All from the top-right.

You should now be able to build osquery!