Fleet Module - Add post install scripts

2026-02-20 06:05:01 +01:00 · 2019-01-24 10:55:15 -05:00
parent ff900d1dc6
commit 6ecdfaca86
3 changed files with 12 additions and 0 deletions
--- a/salt/fleet/packs/hh/hh-post-login.sh
+++ b/salt/fleet/packs/hh/hh-post-login.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+echo "Applying Post Configuration for Osquery"
+fleetctl apply -f /packs/hh/osquery.conf
+fleetctl apply -f /packs/hh/hhdefault/yml
+fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
+fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml;
+ do fleetctl apply -f "$pack"
+done
+echo ""
+echo "You can now exit the container by typing exit"
--- a/salt/fleet/packs/hh/hhdefault.yml
+++ b/salt/fleet/packs/hh/hhdefault.yml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: query
+spec:
+  name: users
+  description: Users on the system
+  query: select * from users;
+---
+apiVersion: v1
+kind: query
+spec:
+  name: chrome-extensions
+  description: Chrome extensions for all users on the system
+  query:  select users.username,chrome_extensions.*,chrome_extensions.path from users cross join chrome_extensions using (uid) where identifier not in ('aapocclcgogkmnckokdopfmhonfmgoek', 'aohghmighlieiainnegkcijnfilokake', 'apdfllckaahabafndbhieahigkjlhalf','felcaaldnbdncclmgdcncolpebgiejap','pjkljhegncpnkpknbcohdijeoejaedia','pkedcjkdefgpdelpbcmbmeomcjbeemfm','blpcfgokakmgnkcojhhkbfbldkacnbeo','ghbmnnjooekpmoecnnnilnnbdlolhkhi','nmmhkkegccagdldgiimedpiccmgmieda');
+---
+apiVersion: v1
+kind: pack
+spec:
+  name: examples
+  targets:
+    labels:
+      - All Hosts
+  queries:
+    - query: users
+      interval: 180
+      removed: false
+    - query: chrome-extensions
+      interval: 180
+      removed: false
--- a/salt/fleet/packs/hh/osquery.conf
+++ b/salt/fleet/packs/hh/osquery.conf
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: options
+spec:
+  config:
+    decorators:
+      always:
+      - SELECT codename FROM os_version;
+      - SELECT uuid AS LiveQuery FROM system_info;
+      - SELECT address AS EndpointIP1 FROM interface_addresses where address not
+        like '%:%' and address not like '127%' and address not like '169%' order by
+        interface desc limit 1;
+      - SELECT address AS EndpointIP2 FROM interface_addresses where address not
+        like '%:%' and address not like '127%' and address not like '169%' order by
+        interface asc limit 1;
+      - SELECT hardware_serial FROM system_info;
+      - SELECT hostname AS hostname FROM system_info;
+    options:
+      decorations_top_level: true
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
+      distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
+      logger_plugin: tls
+      logger_tls_endpoint: /api/v1/osquery/log
+      logger_tls_period: 10
+      pack_delimiter: _
+  overrides: {}