PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery $ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags # Non-TLS server testing $ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs $ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery $ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery
#Osquery events are disabled windows#
The desired osquery directory structure for Linux, MacOS, and Windows is outlined below: Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: git clone įleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yamlįleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yamlįleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yamlįor pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml Configure the fleetctl utility to communicate with your Fleet serverĤ. Enroll hosts to your Fleet server by configuring the appropriate ģ.
Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd.įile integrity monitoring is enabled for specific files and directories defined in nf Requires the nf pack found to be located at /etc/osquery/packs/nf Servers Configuration Overview This configuration assumes the destination operating system is Linux-based and that the hosts are online at all timesĪuditing mode is enabled for processes and network events. * These configuration files utilize packs within the packs folder and may generate errors if started without them We use Windows Event Forwarding and don't have a need for osquery to process Windows event logs. We have also included non-TLS flagfiles for local testing.įile integrity monitoring on MacOS is enabled for specific files and directories defined in nf Events are disabled on Windows via the -disable_events flag in osquery.flags. The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. Note: We recommend that you spin up a lab environment before deploying any of these configurations to a productionĮndpoints Configuration Overview The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day This configuration has process and network auditing enabled, so expect an exponentially higher volume of logs to be returned from the agent. Servers: The contents of this folder are tailored towards monitoring Linux servers. We purposely set the interval to this value because the interval timer only moves forward when a host is online and we would only expect an endpoint to be online for about 8 hours, or 28800 seconds, per day. You may notice the interval of many queries in this folder set to 28800. Within each of those folders, you will find the following subdirectories:Įndpoints: The contents of this folder are tailored towards monitoring MacOS and Windows endpoints that are not expected to be online at all times. * The Fleet directory contains YAML files to be imported into Kolide's Fleet osquery management tool
* The Classic directory contains configuration files for a standard osquery deployment * At the top level, there are two directories titled "Classic" and "Fleet" In order to ensure you receive the most up to date version of the pack, please view them using the links below: Note: We also utilize packs that are maintained in the official osquery project. Operators have carefully considered the datasets to be collected and the potential use-cases for that data. That are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. However, we have included additional query packs Our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which isĮxactly what we have done with our unwanted-chrome-extensions query pack and additions to the windows-attacks pack. The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. This repository is the companion to the osquery Across the Enterprise blog post. Palantir osquery Configuration About This Repository
0 kommentar(er)
