Merge pull request #499 from Security-Onion-Solutions/feature/osquery-ingest-fixes

osquery updates and fixes

salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml

@@ -239,9 +239,10 @@ spec:
     query: chrome_extensions
   - description: Disk encryption status and information.
     interval: 3600
-    name: disk_encryption
+    name: disk_encryption_snapshot
     platform: darwin
-    query: disk_encryption
+    query: disk_encryption_snapshot
+    snapshot: true
   - description: Local system users.
     interval: 28800
     name: users_snapshot
@@ -282,6 +283,12 @@ spec:
     name: sip_config
     platform: darwin
     query: sip_config
+  - description: Shows information about the wifi network that a host is currently connected to.
+    interval: 28800
+    name: wifi_status_snapshot
+    platform: darwin
+    query: wifi_status_snapshot
+    snapshot: true
   - description: Returns the private keys in the users ~/.ssh directory and whether
       or not they are encrypted.
     interval: 3600
@@ -290,7 +297,8 @@ spec:
     query: user_ssh_keys
     removed: false
   targets:
-    labels: null
+    labels: 
+    - macOS
 ---
 apiVersion: v1
 kind: query
@@ -365,13 +373,10 @@ spec:
   description: Returns information about installed event taps. Can be used to detect
     keyloggers
   name: event_taps
-  query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process
+  query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid
-    = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE
+    WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd',
-    '%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber'
+    '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path
-    AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd'
+    NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;
-    AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%'
-    AND  processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%'
-    AND event_taps.enabled=1;
 ---
 apiVersion: v1
 kind: query
@@ -455,6 +460,13 @@ spec:
 ---
 apiVersion: v1
 kind: query
+spec:
+  description: Shows information about the wifi network that a host is currently connected to.
+  name: wifi_status_snapshot
+  query: SELECT * FROM wifi_status;
+---
+apiVersion: v1
+kind: query
 spec:
   description: Snapshot query for macosx_kextstat
   name: macosx_kextstat_snapshot
@@ -479,7 +491,7 @@ kind: query
 spec:
   description: Safari browser extension details for all users.
   name: safari_extensions
-  query: SELECT * FROM users JOIN safari_extensions USING (uid);
+  query: SELECT * FROM users CROSS JOIN safari_extensions USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -500,7 +512,7 @@ kind: query
 spec:
   description: List authorized_keys for each user on the system
   name: authorized_keys
-  query: SELECT * FROM users JOIN authorized_keys USING (uid);
+  query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -508,7 +520,7 @@ spec:
   description: Application, System, and Mobile App crash logs.
   name: crashes
   query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path
-    FROM users JOIN crashes USING (uid);
+    FROM users CROSS JOIN crashes USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -516,7 +528,7 @@ spec:
   description: Displays the percentage of free space available on the primary disk
     partition
   name: disk_free_space_pct
-  query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1';
+  query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';
 ---
 apiVersion: v1
 kind: query
@@ -553,7 +565,7 @@ kind: query
 spec:
   description: Snapshot query for Chrome extensions
   name: chrome_extensions_snapshot
-  query: SELECT * FROM users JOIN chrome_extensions USING (uid);
+  query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -589,14 +601,14 @@ kind: query
 spec:
   description: All C/NPAPI browser plugin details for all users.
   name: browser_plugins
-  query: SELECT * FROM users JOIN browser_plugins USING (uid);
+  query: SELECT * FROM users CROSS JOIN browser_plugins USING (uid);
 ---
 apiVersion: v1
 kind: query
 spec:
   description: List installed Firefox addons for all users
   name: firefox_addons
-  query: SELECT * FROM users JOIN firefox_addons USING (uid);
+  query: SELECT * FROM users CROSS JOIN firefox_addons USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -625,13 +637,13 @@ kind: query
 spec:
   description: List installed Chrome Extensions for all users
   name: chrome_extensions
-  query: SELECT * FROM users JOIN chrome_extensions USING (uid);
+  query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
 ---
 apiVersion: v1
 kind: query
 spec:
   description: Disk encryption status and information.
-  name: disk_encryption
+  name: disk_encryption_snapshot
   query: SELECT * FROM disk_encryption;
 ---
 apiVersion: v1
@@ -691,4 +703,4 @@ spec:
   description: Returns the private keys in the users ~/.ssh directory and whether
     or not they are encrypted.
   name: user_ssh_keys
-  query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
+  query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);

salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml

@@ -227,8 +227,35 @@ spec:
     platform: windows
     query: scheduled_tasks_snapshot
     snapshot: true
+  - description: Appcompat shims (.sdb files) installed on Windows hosts.
+    interval: 3600
+    name: appcompat_shims
+    platform: windows
+    query: appcompat_shims
+  - description: Disk encryption status and information snapshot query.
+    interval: 28800
+    name: bitlocker_info_snapshot
+    platform: windows
+    query: bitlocker_info_snapshot
+    snapshot: true
   targets:
-    labels: null
+    labels: 
+    - MS Windows
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Appcompat shims (.sdb files) installed on Windows hosts.
+  name: appcompat_shims
+  query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND
+    executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Disk encryption status and information snapshot query.
+  name: bitlocker_info_snapshot
+  query: SELECT * FROM bitlocker_info;
 ---
 apiVersion: v1
 kind: query
@@ -302,7 +329,7 @@ kind: query
 spec:
   description: Snapshot query for Chrome extensions
   name: chrome_extensions_snapshot
-  query: SELECT * FROM users JOIN chrome_extensions USING (uid);
+  query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -466,7 +493,7 @@ kind: query
 spec:
   description: List installed Chrome Extensions for all users
   name: chrome_extensions
-  query: SELECT * FROM users JOIN chrome_extensions USING (uid);
+  query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml

@@ -3,17 +3,9 @@ kind: options
 spec:
   config:
     decorators:
-      always:
+      load:
+      - SELECT uuid AS host_uuid FROM system_info;
       - SELECT hostname AS hostname FROM system_info;
-      - SELECT codename FROM os_version;
-      - SELECT uuid AS LiveQuery FROM system_info;
-      - SELECT address AS EndpointIP1 FROM interface_addresses where address not
-        like '%:%' and address not like '127%' and address not like '169%' order by
-        interface desc limit 1;
-      - SELECT address AS EndpointIP2 FROM interface_addresses where address not
-        like '%:%' and address not like '127%' and address not like '169%' order by
-        interface asc limit 1;
-      - SELECT hardware_serial FROM system_info;
     file_paths:
       binaries:
       - /usr/bin/%%
@@ -29,7 +21,6 @@ spec:
       efi:
       - /System/Library/CoreServices/boot.efi
     options:
-      decorations_top_level: true
       disable_distributed: false
       disable_tables: windows_events
       distributed_interval: 10

salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml

@@ -26,7 +26,9 @@ spec:
     query: backup_tool_perf
     snapshot: true
   targets:
-    labels: null
+    labels: 
+    - MS Windows
+    - macOS
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml

@@ -26,7 +26,9 @@ spec:
     platform: windows
     query: endpoint_security_tool_backend_server_registry_misconfigured
   targets:
-    labels: null
+    labels: 
+    - MS Windows
+    - macOS
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml

@@ -40,7 +40,8 @@ spec:
     platform: windows
     query: uac_settings_registry
   targets:
-    labels: null
+    labels: 
+    - MS Windows
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml

@@ -137,7 +137,8 @@ spec:
     platform: windows
     query: send_error_alert_registry
   targets:
-    labels: null
+    labels: 
+    - MS Windows
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml

@@ -185,7 +185,8 @@ spec:
     platform: windows
     query: send_error_alert_registry_exists
   targets:
-    labels: null
+    labels: 
+    - MS Windows
 ---
 apiVersion: v1
 kind: query

salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml

@@ -5,254 +5,251 @@ spec:
   name: LinuxPack
   queries:
   - description: Retrieves all the jobs scheduled in crontab in the target system.
-    interval: 0
+    interval: 86400
     name: crontab_snapshot
     platform: linux
     query: crontab_snapshot
     snapshot: true
   - description: Various Linux kernel integrity checked attributes.
-    interval: 0
+    interval: 86400
     name: kernel_integrity
     platform: linux
     query: kernel_integrity
   - description: Linux kernel modules both loaded and within the load search path.
-    interval: 0
+    interval: 3600
     name: kernel_modules
     platform: linux
     query: kernel_modules
   - description: Retrieves the current list of mounted drives in the target system.
-    interval: 0
+    interval: 86400
     name: mounts
     platform: linux
     query: mounts
-  - description: The percentage of total CPU time (system+user) consumed by osqueryd
-    interval: 0
-    name: osquery_cpu_pct
-    platform: linux
-    query: osquery_cpu_pct
-    snapshot: true
   - description: Socket events collected from the audit framework
-    interval: 0
+    interval: 10
     name: socket_events
     platform: linux
     query: socket_events
   - description: Record the network interfaces and their associated IP and MAC addresses
-    interval: 0
+    interval: 600
     name: network_interfaces_snapshot
     platform: linux
     query: network_interfaces_snapshot
     snapshot: true
-    version: 1.4.5
   - description: Information about the running osquery configuration
-    interval: 0
+    interval: 86400
     name: osquery_info
     platform: linux
     query: osquery_info
     snapshot: true
   - description: Display all installed RPM packages
-    interval: 0
+    interval: 86400
     name: rpm_packages
     platform: centos
     query: rpm_packages
     snapshot: true
   - description: Record shell history for all users on system (instead of just root)
-    interval: 0
+    interval: 3600
     name: shell_history
     platform: linux
     query: shell_history
   - description: File events collected from file integrity monitoring
-    interval: 0
+    interval: 10
     name: file_events
     platform: linux
     query: file_events
     removed: false
   - description: Retrieve the EC2 metadata for this endpoint
-    interval: 0
+    interval: 3600
     name: ec2_instance_metadata
     platform: linux
     query: ec2_instance_metadata
   - description: Retrieve the EC2 tags for this endpoint
-    interval: 0
+    interval: 3600
     name: ec2_instance_tags
     platform: linux
     query: ec2_instance_tags
   - description: Snapshot query to retrieve the EC2 tags for this instance
-    interval: 0
+    interval: 86400
     name: ec2_instance_tags_snapshot
     platform: linux
     query: ec2_instance_tags_snapshot
     snapshot: true
   - description: Retrieves the current filters and chains per filter in the target
       system.
-    interval: 0
+    interval: 86400
     name: iptables
     platform: linux
     query: iptables
   - description: Display any SUID binaries that are owned by root
-    interval: 0
+    interval: 86400
     name: suid_bin
     platform: linux
     query: suid_bin
   - description: Display all installed DEB packages
-    interval: 0
+    interval: 86400
     name: deb_packages
     platform: ubuntu
     query: deb_packages
     snapshot: true
   - description: Find shell processes that have open sockets
-    interval: 0
+    interval: 600
     name: behavioral_reverse_shell
     platform: linux
     query: behavioral_reverse_shell
   - description: Retrieves all the jobs scheduled in crontab in the target system.
-    interval: 0
+    interval: 3600
     name: crontab
     platform: linux
     query: crontab
-  - description: Records the system resources used by each query
-    interval: 0
-    name: per_query_perf
-    platform: linux
-    query: per_query_perf
-  - description: Records avg rate of socket events since daemon started
-    interval: 0
-    name: socket_rates
-    platform: linux
-    query: socket_rates
-    snapshot: true
   - description: Local system users.
-    interval: 0
+    interval: 86400
     name: users
     platform: linux
     query: users
   - description: Process events collected from the audit framework
-    interval: 0
+    interval: 10
     name: process_events
     platform: linux
     query: process_events
   - description: Retrieves the list of the latest logins with PID, username and timestamp.
-    interval: 0
+    interval: 3600
     name: last
     platform: linux
     query: last
   - description: Any processes that run with an LD_PRELOAD environment variable
-    interval: 0
+    interval: 60
     name: ld_preload
     platform: linux
     query: ld_preload
-  - description: Records avg rate of process events since daemon started
-    interval: 0
-    name: process_rates
-    platform: linux
-    query: process_rates
     snapshot: true
   - description: Information about the system hardware and name
-    interval: 0
+    interval: 86400
     name: system_info
     platform: linux
     query: system_info
     snapshot: true
   - description: Returns the private keys in the users ~/.ssh directory and whether
       or not they are encrypted
-    interval: 0
+    interval: 86400
     name: user_ssh_keys
     platform: linux
     query: user_ssh_keys
   - description: Local system users.
-    interval: 0
+    interval: 86400
     name: users_snapshot
     platform: linux
     query: users_snapshot
     snapshot: true
   - description: DNS resolvers used by the host
-    interval: 0
+    interval: 3600
     name: dns_resolvers
     platform: linux
     query: dns_resolvers
   - description: Retrieves information from the current kernel in the target system.
-    interval: 0
+    interval: 86400
     name: kernel_info
     platform: linux
     query: kernel_info
     snapshot: true
   - description: Linux kernel modules both loaded and within the load search path.
-    interval: 0
+    interval: 86400
     name: kernel_modules_snapshot
     platform: linux
     query: kernel_modules_snapshot
     snapshot: true
   - description: Generates an event if ld.so.preload is present - used by rootkits
       such as Jynx
-    interval: 0
+    interval: 3600
     name: ld_so_preload_exists
     platform: linux
     query: ld_so_preload_exists
     snapshot: true
   - description: Records system/user time, db size, and many other system metrics
-    interval: 0
+    interval: 1800
     name: runtime_perf
     platform: linux
     query: runtime_perf
   - description: Retrieves all the entries in the target system /etc/hosts file.
-    interval: 0
+    interval: 86400
     name: etc_hosts_snapshot
     platform: linux
     query: etc_hosts_snapshot
     snapshot: true
   - description: Snapshot query to retrieve the EC2 metadata for this endpoint
-    interval: 0
+    interval: 86400
     name: ec2_instance_metadata_snapshot
     platform: linux
     query: ec2_instance_metadata_snapshot
     snapshot: true
   - description: ""
-    interval: 0
+    interval: 10
     name: hardware_events
     platform: linux
     query: hardware_events
     removed: false
   - description: Information about memory usage on the system
-    interval: 0
+    interval: 3600
     name: memory_info
     platform: linux
     query: memory_info
   - description: Displays information from /proc/stat file about the time the CPU
       cores spent in different parts of the system
-    interval: 0
+    interval: 3600
     name: cpu_time
     platform: linux
     query: cpu_time
   - description: Retrieves all the entries in the target system /etc/hosts file.
-    interval: 0
+    interval: 3600
     name: etc_hosts
     platform: linux
     query: etc_hosts
   - description: Retrieves information from the Operating System where osquery is
       currently running.
-    interval: 0
+    interval: 86400
     name: os_version
     platform: linux
     query: os_version
     snapshot: true
   - description: A snapshot of all processes running on the host. Useful for outlier
       analysis.
-    interval: 0
+    interval: 86400
     name: processes_snapshot
     platform: linux
     query: processes_snapshot
     snapshot: true
   - description: Retrieves the current list of USB devices in the target system.
-    interval: 0
+    interval: 120
     name: usb_devices
     platform: linux
     query: usb_devices
   - description: A line-delimited authorized_keys table.
-    interval: 0
+    interval: 86400
     name: authorized_keys
     platform: linux
     query: authorized_keys
+  - description: Display apt package manager sources.
+    interval: 86400
+    name: apt_sources
+    platform: ubuntu
+    query: apt_sources
+    snapshot: true
+  - description: Gather information about processes that are listening on a socket.
+    interval: 86400
+    name: listening_ports
+    platform: linux
+    query: listening_ports
+    snapshot: true
+  - description: Display yum package manager sources.
+    interval: 86400
+    name: yum_sources
+    platform: centos
+    query: yum_sources
+    snapshot: true
   targets:
-    labels: null
+    labels: 
+    - Ubuntu Linux
+    - CentOS Linux
 ---
 apiVersion: v1
 kind: query
@@ -284,15 +281,6 @@ spec:
 ---
 apiVersion: v1
 kind: query
-spec:
-  description: The percentage of total CPU time (system+user) consumed by osqueryd
-  name: osquery_cpu_pct
-  query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
-    processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time
-    FROM processes WHERE name='osqueryd');
----
-apiVersion: v1
-kind: query
 spec:
   description: Socket events collected from the audit framework
   name: socket_events
@@ -329,7 +317,7 @@ kind: query
 spec:
   description: Record shell history for all users on system (instead of just root)
   name: shell_history
-  query: SELECT * FROM users JOIN shell_history USING (uid);
+  query: SELECT * FROM users CROSS JOIN shell_history USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -403,23 +391,6 @@ spec:
 ---
 apiVersion: v1
 kind: query
-spec:
-  description: Records the system resources used by each query
-  name: per_query_perf
-  query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
-    AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
-    FROM osquery_schedule;
----
-apiVersion: v1
-kind: query
-spec:
-  description: Records avg rate of socket events since daemon started
-  name: socket_rates
-  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now')
-    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
----
-apiVersion: v1
-kind: query
 spec:
   description: Local system users.
   name: users
@@ -454,14 +425,6 @@ spec:
 ---
 apiVersion: v1
 kind: query
-spec:
-  description: Records avg rate of process events since daemon started
-  name: process_rates
-  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now')
-    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
----
-apiVersion: v1
-kind: query
 spec:
   description: Information about the system hardware and name
   name: system_info
@@ -473,7 +436,7 @@ spec:
   description: Returns the private keys in the users ~/.ssh directory and whether
     or not they are encrypted
   name: user_ssh_keys
-  query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
+  query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);
 ---
 apiVersion: v1
 kind: query
@@ -593,4 +556,25 @@ kind: query
 spec:
   description: A line-delimited authorized_keys table.
   name: authorized_keys
-  query: SELECT * FROM users JOIN authorized_keys USING (uid);
+  query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Display apt package manager sources.
+  name: apt_sources
+  query: SELECT * FROM apt_sources;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Gather information about processes that are listening on a socket.
+  name: listening_ports
+  query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Display yum package manager sources.
+  name: yum_sources
+  query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;

salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml

@@ -17,6 +17,7 @@ spec:
       configuration:
       - /etc/passwd
       - /etc/shadow
+      - /etc/ld.so.preload
       - /etc/ld.so.conf
       - /etc/ld.so.conf.d/%%
       - /etc/pam.d/%%

salt/fleet/files/packs/palantir/README.md

@@ -10,11 +10,11 @@ exactly what we have done with our [unwanted-chrome-extensions](https://github.c
 However, we have included additional query packs
 that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when
 operators have carefully considered the datasets to be collected and the potential use-cases for that data.
-* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/performance-metrics.conf)
+* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf)
-* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/security-tooling-checks.conf)
+* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf)
-* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-application-security.conf)
+* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf)
-* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-compliance.conf)
+* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf)
-* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-registry-monitoring.conf)
+* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf)
 
 
 **Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below:
@@ -41,15 +41,15 @@ environment.
 **Endpoints Configuration Overview**
 * The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day
 * The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing.
-* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Endpoints/MacOS/osquery.conf)
+* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf)
-* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs.
+* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs.
-* These configuration files utilize packs within the [packs](./Endpoints/packs) folder and may generate errors if started without them
+* These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them
 
 **Servers Configuration Overview**
 * This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times
 * Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd.
-* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Servers/Linux/osquery.conf)
+* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf)
-* Requires the [ossec-rootkit.conf](./Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf`
+* Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf`
 * The subscriber for `user_events` is disabled
 
 ## Quickstart - Classic
@@ -59,10 +59,10 @@ environment.
 4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows)
 
 ## Quickstart - Fleet
-1. Install Fleet version 2.0.0 or higher 
+Install Fleet version 2.0.0 or higher
-2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags](https://github.com/kolide/fleet/blob/master/tools/osquery/example_osquery.flags)
+2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags]
-2. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server
+3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server
-3. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:
+4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:
 
 ```
 git clone https://github.com/palantir/osquery-configuration.git
@@ -79,7 +79,7 @@ The desired osquery directory structure for Linux, MacOS, and Windows is outline
 **Linux**
 ```
 $ git clone https://github.com/palantir/osquery-configuration.git
-$ cp -R osquery-configuration/Servers/Linux/* /etc/osquery
+$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery
 $ sudo osqueryctl start
 
 /etc/osquery
@@ -93,8 +93,8 @@ $ sudo osqueryctl start
 **MacOS**
 ```
 $ git clone https://github.com/palantir/osquery-configuration.git
-$ cp osquery-configuration/Endpoints/MacOS/* /var/osquery
+$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery
-$ cp osquery-configuration/Endpoints/packs/* /var/osquery/packs
+$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs
 $ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags   ## Non-TLS server testing
 $ sudo osqueryctl start
 
@@ -113,8 +113,8 @@ $ sudo osqueryctl start
 **Windows**
 ```
 PS> git clone https://github.com/palantir/osquery-configuration.git
-PS> copy-item osquery-configuration/Endpoints/Windows/* c:\ProgramData\osquery
+PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery
-PS> copy-item osquery-configuration/Endpoints/packs/* c:\ProgramData\osquery\packs
+PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs
 PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force   ## Non-TLS server testing
 PS> start-service osqueryd
 

salt/fleet/files/scripts/so-fleet-setup

@@ -4,6 +4,12 @@
 
 #so-fleet-setup.sh $FleetEmail
 
+# Enable Fleet
+echo "Starting Docker Containers..."
+salt-call state.apply mysql queue=True >> /root/fleet-setup.log
+salt-call state.apply fleet queue=True >> /root/fleet-setup.log
+salt-call state.apply redis queue=True >> /root/fleet-setup.log
+
 if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
         echo "so-fleet container not running... Exiting..."
         exit 1
@@ -15,11 +21,11 @@ docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >>  /et
 docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet
 docker exec so-fleet fleetctl setup --email $1 --password $initpw
 
-docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
 docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
+docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf
 
 
 # Enable Fleet
@@ -34,6 +40,7 @@ sleep 120
 
 echo "Installing launcher via salt..."
 salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
+salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
 
 echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"
 echo "Your username is $2 and your password is $initpw"