From 2700c780b7c0af24240d323a52b78fb47873194b Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sat, 4 Mar 2023 13:03:30 -0500
Subject: [PATCH] Add a runnable osquery.conf example

---
 Makefile     | 17 ++++++++++++++---
 osquery.conf | 18 ++++++++++++++++++
 2 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 osquery.conf

diff --git a/Makefile b/Makefile
index e21d44f..1c6ea0e 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ out/osqtool-$(ARCH):
 	mv out/osqtool out/osqtool-$(ARCH)
 
 out/odk-detection.conf: out/osqtool-$(ARCH) $(wildcard detection/*.sql)
-	./out/osqtool-$(ARCH) --verify pack detection/ > out/.odk-detection.conf
+	./out/osqtool-$(ARCH) --max-query-duration=8s --verify pack detection/ > out/.odk-detection.conf
 	mv out/.odk-detection.conf out/odk-detection.conf
 
 out/odk-policy.conf: out/osqtool-$(ARCH)  $(wildcard policy/*.sql)
@@ -16,7 +16,7 @@ out/odk-policy.conf: out/osqtool-$(ARCH)  $(wildcard policy/*.sql)
 	mv out/.odk-policy.conf out/odk-policy.conf
 
 out/odk-incident-response.conf: out/osqtool-$(ARCH)  $(wildcard incident_response/*.sql)
-	./out/osqtool-$(ARCH) --verify pack incident_response/ > out/.odk-incident-response.conf
+	./out/osqtool-$(ARCH)  --max-query-duration=12s --verify pack incident_response/ > out/.odk-incident-response.conf
 	mv out/.odk-incident-response.conf out/odk-incident-response.conf
 
 # A privacy-aware variation of IR rules
@@ -24,9 +24,12 @@ out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH)  $(wildcard incident
 	./out/osqtool-$(ARCH) --exclude-tags=disabled,disabled-privacy pack incident_response/ > out/.odk-incident-response-privacy.conf
 	mv out/.odk-incident-response-privacy.conf out/odk-incident-response-privacy.conf
 
+out/osquery.conf:
+	cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
+
 packs: out/odk-detection.conf out/odk-policy.conf out/odk-incident-response.conf out/odk-incident-response-privacy.conf
 
-out/odk-packs.zip: packs
+out/odk-packs.zip: packs out/osquery.conf
 	cd out && rm -f .*.conf && zip odk-packs.zip *.conf
 
 .PHONY: reformat
@@ -41,6 +44,14 @@ reformat-updates:
 detect: ./out/osqtool-$(ARCH)
 	$(SUDO) ./out/osqtool-$(ARCH) run detection
 
+.PHONY: run-detect-pack
+run-detect-pack: out/odk-detection.conf
+	$(SUDO) osqueryi --config_path osquery.conf --pack detection
+
+.PHONY: run-ir-pack
+run-ir-pack: out/odk-incident-response.conf
+	$(SUDO) osqueryi --config_path osquery.conf --pack incident-response
+
 .PHONY: collect
 collect: ./out/osqtool-$(ARCH)
 	mkdir -p $(COLLECT_DIR)
diff --git a/osquery.conf b/osquery.conf
new file mode 100644
index 0000000..32d1ca5
--- /dev/null
+++ b/osquery.conf
@@ -0,0 +1,18 @@
+# This is an example runnable osquery.conf. It does not enable eventing tables
+#
+# To use this, paste this stanza into your existing osquery.conf file, or use
+# it interactively with:
+#
+# sudo osqueryi --config_path osquery.conf -A osquery_packs
+#
+# You can specify a pack to run using:
+#
+# sudo osqueryi --config_path osquery.conf --pack detection
+
+{
+  "packs": {
+    "detection": "out/odk-detection.conf",
+    "incident-response": "out/odk-incident-response.conf",
+    "policy": "out/odk-policy.conf"
+  }
+}