CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #499 from Security-Onion-Solutions/feature/osquery-ingest-fixes

Browse Source 
osquery updates and fixes
This commit is contained in:
Josh Brower
2020-04-02 08:29:20 -04:00
committed by GitHub
parent fd2b35dd21 1ca290c766
commit 551af39446
12 changed files with 189 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
View File

@@ -239,9 +239,10 @@ spec:
query: chrome_extensions
- description: Disk encryption status and information.
interval: 3600
name: disk_encryption
name: disk_encryption_snapshot
platform: darwin
query: disk_encryption
query: disk_encryption_snapshot
snapshot: true
- description: Local system users.
interval: 28800
name: users_snapshot
@@ -282,6 +283,12 @@ spec:
name: sip_config
platform: darwin
query: sip_config
- description: Shows information about the wifi network that a host is currently connected to.
interval: 28800
name: wifi_status_snapshot
platform: darwin
query: wifi_status_snapshot
snapshot: true
- description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
interval: 3600
@@ -290,7 +297,8 @@ spec:
query: user_ssh_keys
removed: false
targets:
labels: null
labels:
- macOS
---
apiVersion: v1
kind: query
@@ -365,13 +373,10 @@ spec:
description: Returns information about installed event taps. Can be used to detect
keyloggers
name: event_taps
query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process
= processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE
'%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber'
AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd'
AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%'
AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%'
AND event_taps.enabled=1;
query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid
WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd',
'/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path
NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;
---
apiVersion: v1
kind: query
@@ -455,6 +460,13 @@ spec:
---
apiVersion: v1
kind: query
spec:
description: Shows information about the wifi network that a host is currently connected to.
name: wifi_status_snapshot
query: SELECT * FROM wifi_status;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for macosx_kextstat
name: macosx_kextstat_snapshot
@@ -479,7 +491,7 @@ kind: query
spec:
description: Safari browser extension details for all users.
name: safari_extensions
query: SELECT * FROM users JOIN safari_extensions USING (uid);
query: SELECT * FROM users CROSS JOIN safari_extensions USING (uid);
---
apiVersion: v1
kind: query
@@ -500,7 +512,7 @@ kind: query
spec:
description: List authorized_keys for each user on the system
name: authorized_keys
query: SELECT * FROM users JOIN authorized_keys USING (uid);
query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
---
apiVersion: v1
kind: query
@@ -508,7 +520,7 @@ spec:
description: Application, System, and Mobile App crash logs.
name: crashes
query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path
FROM users JOIN crashes USING (uid);
FROM users CROSS JOIN crashes USING (uid);
---
apiVersion: v1
kind: query
@@ -516,7 +528,7 @@ spec:
description: Displays the percentage of free space available on the primary disk
partition
name: disk_free_space_pct
query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1';
query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';
---
apiVersion: v1
kind: query
@@ -553,7 +565,7 @@ kind: query
spec:
description: Snapshot query for Chrome extensions
name: chrome_extensions_snapshot
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
@@ -589,14 +601,14 @@ kind: query
spec:
description: All C/NPAPI browser plugin details for all users.
name: browser_plugins
query: SELECT * FROM users JOIN browser_plugins USING (uid);
query: SELECT * FROM users CROSS JOIN browser_plugins USING (uid);
---
apiVersion: v1
kind: query
spec:
description: List installed Firefox addons for all users
name: firefox_addons
query: SELECT * FROM users JOIN firefox_addons USING (uid);
query: SELECT * FROM users CROSS JOIN firefox_addons USING (uid);
---
apiVersion: v1
kind: query
@@ -625,13 +637,13 @@ kind: query
spec:
description: List installed Chrome Extensions for all users
name: chrome_extensions
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Disk encryption status and information.
name: disk_encryption
name: disk_encryption_snapshot
query: SELECT * FROM disk_encryption;
---
apiVersion: v1
@@ -691,4 +703,4 @@ spec:
description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
name: user_ssh_keys
query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);

33
salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
View File

@@ -227,8 +227,35 @@ spec:
platform: windows
query: scheduled_tasks_snapshot
snapshot: true
- description: Appcompat shims (.sdb files) installed on Windows hosts.
interval: 3600
name: appcompat_shims
platform: windows
query: appcompat_shims
- description: Disk encryption status and information snapshot query.
interval: 28800
name: bitlocker_info_snapshot
platform: windows
query: bitlocker_info_snapshot
snapshot: true
targets:
labels: null
labels:
- MS Windows
---
apiVersion: v1
kind: query
spec:
description: Appcompat shims (.sdb files) installed on Windows hosts.
name: appcompat_shims
query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND
executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');
---
apiVersion: v1
kind: query
spec:
description: Disk encryption status and information snapshot query.
name: bitlocker_info_snapshot
query: SELECT * FROM bitlocker_info;
---
apiVersion: v1
kind: query
@@ -302,7 +329,7 @@ kind: query
spec:
description: Snapshot query for Chrome extensions
name: chrome_extensions_snapshot
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
@@ -466,7 +493,7 @@ kind: query
spec:
description: List installed Chrome Extensions for all users
name: chrome_extensions
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query

13
salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml
View File

@@ -3,17 +3,9 @@ kind: options
spec:
config:
decorators:
always:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
- SELECT codename FROM os_version;
- SELECT uuid AS LiveQuery FROM system_info;
- SELECT address AS EndpointIP1 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface desc limit 1;
- SELECT address AS EndpointIP2 FROM interface_addresses where address not
like '%:%' and address not like '127%' and address not like '169%' order by
interface asc limit 1;
- SELECT hardware_serial FROM system_info;
file_paths:
binaries:
- /usr/bin/%%
@@ -29,7 +21,6 @@ spec:
efi:
- /System/Library/CoreServices/boot.efi
options:
decorations_top_level: true
disable_distributed: false
disable_tables: windows_events
distributed_interval: 10

4
salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml
View File

@@ -26,7 +26,9 @@ spec:
query: backup_tool_perf
snapshot: true
targets:
labels: null
labels:
- MS Windows
- macOS
---
apiVersion: v1
kind: query

4
salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml
View File

@@ -26,7 +26,9 @@ spec:
platform: windows
query: endpoint_security_tool_backend_server_registry_misconfigured
targets:
labels: null
labels:
- MS Windows
- macOS
---
apiVersion: v1
kind: query

3
salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml
View File

@@ -40,7 +40,8 @@ spec:
platform: windows
query: uac_settings_registry
targets:
labels: null
labels:
- MS Windows
---
apiVersion: v1
kind: query

3
salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml
View File

@@ -137,7 +137,8 @@ spec:
platform: windows
query: send_error_alert_registry
targets:
labels: null
labels:
- MS Windows
---
apiVersion: v1
kind: query

3
salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml
View File

@@ -185,7 +185,8 @@ spec:
platform: windows
query: send_error_alert_registry_exists
targets:
labels: null
labels:
- MS Windows
---
apiVersion: v1
kind: query

186
salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml
View File

@@ -5,254 +5,251 @@ spec:
name: LinuxPack
queries:
- description: Retrieves all the jobs scheduled in crontab in the target system.
interval: 0
interval: 86400
name: crontab_snapshot
platform: linux
query: crontab_snapshot
snapshot: true
- description: Various Linux kernel integrity checked attributes.
interval: 0
interval: 86400
name: kernel_integrity
platform: linux
query: kernel_integrity
- description: Linux kernel modules both loaded and within the load search path.
interval: 0
interval: 3600
name: kernel_modules
platform: linux
query: kernel_modules
- description: Retrieves the current list of mounted drives in the target system.
interval: 0
interval: 86400
name: mounts
platform: linux
query: mounts
- description: The percentage of total CPU time (system+user) consumed by osqueryd
interval: 0
name: osquery_cpu_pct
platform: linux
query: osquery_cpu_pct
snapshot: true
- description: Socket events collected from the audit framework
interval: 0
interval: 10
name: socket_events
platform: linux
query: socket_events
- description: Record the network interfaces and their associated IP and MAC addresses
interval: 0
interval: 600
name: network_interfaces_snapshot
platform: linux
query: network_interfaces_snapshot
snapshot: true
version: 1.4.5
- description: Information about the running osquery configuration
interval: 0
interval: 86400
name: osquery_info
platform: linux
query: osquery_info
snapshot: true
- description: Display all installed RPM packages
interval: 0
interval: 86400
name: rpm_packages
platform: centos
query: rpm_packages
snapshot: true
- description: Record shell history for all users on system (instead of just root)
interval: 0
interval: 3600
name: shell_history
platform: linux
query: shell_history
- description: File events collected from file integrity monitoring
interval: 0
interval: 10
name: file_events
platform: linux
query: file_events
removed: false
- description: Retrieve the EC2 metadata for this endpoint
interval: 0
interval: 3600
name: ec2_instance_metadata
platform: linux
query: ec2_instance_metadata
- description: Retrieve the EC2 tags for this endpoint
interval: 0
interval: 3600
name: ec2_instance_tags
platform: linux
query: ec2_instance_tags
- description: Snapshot query to retrieve the EC2 tags for this instance
interval: 0
interval: 86400
name: ec2_instance_tags_snapshot
platform: linux
query: ec2_instance_tags_snapshot
snapshot: true
- description: Retrieves the current filters and chains per filter in the target
system.
interval: 0
interval: 86400
name: iptables
platform: linux
query: iptables
- description: Display any SUID binaries that are owned by root
interval: 0
interval: 86400
name: suid_bin
platform: linux
query: suid_bin
- description: Display all installed DEB packages
interval: 0
interval: 86400
name: deb_packages
platform: ubuntu
query: deb_packages
snapshot: true
- description: Find shell processes that have open sockets
interval: 0
interval: 600
name: behavioral_reverse_shell
platform: linux
query: behavioral_reverse_shell
- description: Retrieves all the jobs scheduled in crontab in the target system.
interval: 0
interval: 3600
name: crontab
platform: linux
query: crontab
- description: Records the system resources used by each query
interval: 0
name: per_query_perf
platform: linux
query: per_query_perf
- description: Records avg rate of socket events since daemon started
interval: 0
name: socket_rates
platform: linux
query: socket_rates
snapshot: true
- description: Local system users.
interval: 0
interval: 86400
name: users
platform: linux
query: users
- description: Process events collected from the audit framework
interval: 0
interval: 10
name: process_events
platform: linux
query: process_events
- description: Retrieves the list of the latest logins with PID, username and timestamp.
interval: 0
interval: 3600
name: last
platform: linux
query: last
- description: Any processes that run with an LD_PRELOAD environment variable
interval: 0
interval: 60
name: ld_preload
platform: linux
query: ld_preload
- description: Records avg rate of process events since daemon started
interval: 0
name: process_rates
platform: linux
query: process_rates
snapshot: true
- description: Information about the system hardware and name
interval: 0
interval: 86400
name: system_info
platform: linux
query: system_info
snapshot: true
- description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted
interval: 0
interval: 86400
name: user_ssh_keys
platform: linux
query: user_ssh_keys
- description: Local system users.
interval: 0
interval: 86400
name: users_snapshot
platform: linux
query: users_snapshot
snapshot: true
- description: DNS resolvers used by the host
interval: 0
interval: 3600
name: dns_resolvers
platform: linux
query: dns_resolvers
- description: Retrieves information from the current kernel in the target system.
interval: 0
interval: 86400
name: kernel_info
platform: linux
query: kernel_info
snapshot: true
- description: Linux kernel modules both loaded and within the load search path.
interval: 0
interval: 86400
name: kernel_modules_snapshot
platform: linux
query: kernel_modules_snapshot
snapshot: true
- description: Generates an event if ld.so.preload is present - used by rootkits
such as Jynx
interval: 0
interval: 3600
name: ld_so_preload_exists
platform: linux
query: ld_so_preload_exists
snapshot: true
- description: Records system/user time, db size, and many other system metrics
interval: 0
interval: 1800
name: runtime_perf
platform: linux
query: runtime_perf
- description: Retrieves all the entries in the target system /etc/hosts file.
interval: 0
interval: 86400
name: etc_hosts_snapshot
platform: linux
query: etc_hosts_snapshot
snapshot: true
- description: Snapshot query to retrieve the EC2 metadata for this endpoint
interval: 0
interval: 86400
name: ec2_instance_metadata_snapshot
platform: linux
query: ec2_instance_metadata_snapshot
snapshot: true
- description: ""
interval: 0
interval: 10
name: hardware_events
platform: linux
query: hardware_events
removed: false
- description: Information about memory usage on the system
interval: 0
interval: 3600
name: memory_info
platform: linux
query: memory_info
- description: Displays information from /proc/stat file about the time the CPU
cores spent in different parts of the system
interval: 0
interval: 3600
name: cpu_time
platform: linux
query: cpu_time
- description: Retrieves all the entries in the target system /etc/hosts file.
interval: 0
interval: 3600
name: etc_hosts
platform: linux
query: etc_hosts
- description: Retrieves information from the Operating System where osquery is
currently running.
interval: 0
interval: 86400
name: os_version
platform: linux
query: os_version
snapshot: true
- description: A snapshot of all processes running on the host. Useful for outlier
analysis.
interval: 0
interval: 86400
name: processes_snapshot
platform: linux
query: processes_snapshot
snapshot: true
- description: Retrieves the current list of USB devices in the target system.
interval: 0
interval: 120
name: usb_devices
platform: linux
query: usb_devices
- description: A line-delimited authorized_keys table.
interval: 0
interval: 86400
name: authorized_keys
platform: linux
query: authorized_keys
- description: Display apt package manager sources.
interval: 86400
name: apt_sources
platform: ubuntu
query: apt_sources
snapshot: true
- description: Gather information about processes that are listening on a socket.
interval: 86400
name: listening_ports
platform: linux
query: listening_ports
snapshot: true
- description: Display yum package manager sources.
interval: 86400
name: yum_sources
platform: centos
query: yum_sources
snapshot: true
targets:
labels: null
labels:
- Ubuntu Linux
- CentOS Linux
---
apiVersion: v1
kind: query
@@ -284,15 +281,6 @@ spec:
---
apiVersion: v1
kind: query
spec:
description: The percentage of total CPU time (system+user) consumed by osqueryd
name: osquery_cpu_pct
query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time
FROM processes WHERE name='osqueryd');
---
apiVersion: v1
kind: query
spec:
description: Socket events collected from the audit framework
name: socket_events
@@ -329,7 +317,7 @@ kind: query
spec:
description: Record shell history for all users on system (instead of just root)
name: shell_history
query: SELECT * FROM users JOIN shell_history USING (uid);
query: SELECT * FROM users CROSS JOIN shell_history USING (uid);
---
apiVersion: v1
kind: query
@@ -403,23 +391,6 @@ spec:
---
apiVersion: v1
kind: query
spec:
description: Records the system resources used by each query
name: per_query_perf
query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
FROM osquery_schedule;
---
apiVersion: v1
kind: query
spec:
description: Records avg rate of socket events since daemon started
name: socket_rates
query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now')
- 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users
@@ -454,14 +425,6 @@ spec:
---
apiVersion: v1
kind: query
spec:
description: Records avg rate of process events since daemon started
name: process_rates
query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now')
- 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
description: Information about the system hardware and name
name: system_info
@@ -473,7 +436,7 @@ spec:
description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted
name: user_ssh_keys
query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);
---
apiVersion: v1
kind: query
@@ -593,4 +556,25 @@ kind: query
spec:
description: A line-delimited authorized_keys table.
name: authorized_keys
query: SELECT * FROM users JOIN authorized_keys USING (uid);
query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Display apt package manager sources.
name: apt_sources
query: SELECT * FROM apt_sources;
---
apiVersion: v1
kind: query
spec:
description: Gather information about processes that are listening on a socket.
name: listening_ports
query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;
---
apiVersion: v1
kind: query
spec:
description: Display yum package manager sources.
name: yum_sources
query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;

1
salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml
View File

@@ -17,6 +17,7 @@ spec:
configuration:
- /etc/passwd
- /etc/shadow
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%

38
salt/fleet/files/packs/palantir/README.md
View File

@@ -10,11 +10,11 @@ exactly what we have done with our [unwanted-chrome-extensions](https://github.c
However, we have included additional query packs
that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when
operators have carefully considered the datasets to be collected and the potential use-cases for that data.
* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/performance-metrics.conf)
* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/security-tooling-checks.conf)
* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-application-security.conf)
* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-compliance.conf)
* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-registry-monitoring.conf)
* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf)
* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf)
* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf)
* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf)
* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf)
**Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below:
@@ -41,15 +41,15 @@ environment.
**Endpoints Configuration Overview**
* The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day
* The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing.
* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Endpoints/MacOS/osquery.conf)
* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs.
* These configuration files utilize packs within the [packs](./Endpoints/packs) folder and may generate errors if started without them
* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf)
* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs.
* These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them
**Servers Configuration Overview**
* This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times
* Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd.
* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Servers/Linux/osquery.conf)
* Requires the [ossec-rootkit.conf](./Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf`
* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf)
* Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf`
* The subscriber for `user_events` is disabled
## Quickstart - Classic
@@ -59,10 +59,10 @@ environment.
4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows)
## Quickstart - Fleet
1. Install Fleet version 2.0.0 or higher
2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags](https://github.com/kolide/fleet/blob/master/tools/osquery/example_osquery.flags)
2. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server
3. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:
Install Fleet version 2.0.0 or higher
2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags]
3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server
4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:
```
git clone https://github.com/palantir/osquery-configuration.git
@@ -79,7 +79,7 @@ The desired osquery directory structure for Linux, MacOS, and Windows is outline
**Linux**
```
$ git clone https://github.com/palantir/osquery-configuration.git
$ cp -R osquery-configuration/Servers/Linux/* /etc/osquery
$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery
$ sudo osqueryctl start
/etc/osquery
@@ -93,8 +93,8 @@ $ sudo osqueryctl start
**MacOS**
```
$ git clone https://github.com/palantir/osquery-configuration.git
$ cp osquery-configuration/Endpoints/MacOS/* /var/osquery
$ cp osquery-configuration/Endpoints/packs/* /var/osquery/packs
$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery
$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs
$ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing
$ sudo osqueryctl start
@@ -113,8 +113,8 @@ $ sudo osqueryctl start
**Windows**
```
PS> git clone https://github.com/palantir/osquery-configuration.git
PS> copy-item osquery-configuration/Endpoints/Windows/* c:\ProgramData\osquery
PS> copy-item osquery-configuration/Endpoints/packs/* c:\ProgramData\osquery\packs
PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery
PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs
PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing
PS> start-service osqueryd

9
salt/fleet/files/scripts/so-fleet-setup
View File

@@ -4,6 +4,12 @@
#so-fleet-setup.sh $FleetEmail
# Enable Fleet
echo "Starting Docker Containers..."
salt-call state.apply mysql queue=True >> /root/fleet-setup.log
salt-call state.apply fleet queue=True >> /root/fleet-setup.log
salt-call state.apply redis queue=True >> /root/fleet-setup.log
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "so-fleet container not running... Exiting..."
exit 1
@@ -15,11 +21,11 @@ docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /et
docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet
docker exec so-fleet fleetctl setup --email $1 --password $initpw
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf
# Enable Fleet
@@ -34,6 +40,7 @@ sleep 120
echo "Installing launcher via salt..."
salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"
echo "Your username is $2 and your password is $initpw"