RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a runnable osquery.conf example

This commit is contained in:
Thomas Stromberg 2023-03-04 13:03:30 -05:00
parent 6d05dbc2da
commit 2700c780b7
Failed to extract signature
2 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Makefile
View File

@ -8,7 +8,7 @@ out/osqtool-$(ARCH):
mv out/osqtool out/osqtool-$(ARCH) mv out/osqtool out/osqtool-$(ARCH)
out/odk-detection.conf: out/osqtool-$(ARCH) $(wildcard detection/*.sql) out/odk-detection.conf: out/osqtool-$(ARCH) $(wildcard detection/*.sql)
./out/osqtool-$(ARCH) --verify pack detection/ > out/.odk-detection.conf ./out/osqtool-$(ARCH) --max-query-duration=8s --verify pack detection/ > out/.odk-detection.conf
mv out/.odk-detection.conf out/odk-detection.conf mv out/.odk-detection.conf out/odk-detection.conf
out/odk-policy.conf: out/osqtool-$(ARCH) $(wildcard policy/*.sql) out/odk-policy.conf: out/osqtool-$(ARCH) $(wildcard policy/*.sql)
@ -16,7 +16,7 @@ out/odk-policy.conf: out/osqtool-$(ARCH) $(wildcard policy/*.sql)
mv out/.odk-policy.conf out/odk-policy.conf mv out/.odk-policy.conf out/odk-policy.conf
out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql) out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH) --verify pack incident_response/ > out/.odk-incident-response.conf ./out/osqtool-$(ARCH) --max-query-duration=12s --verify pack incident_response/ > out/.odk-incident-response.conf
mv out/.odk-incident-response.conf out/odk-incident-response.conf mv out/.odk-incident-response.conf out/odk-incident-response.conf
# A privacy-aware variation of IR rules # A privacy-aware variation of IR rules
@ -24,9 +24,12 @@ out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH) $(wildcard incident
./out/osqtool-$(ARCH) --exclude-tags=disabled,disabled-privacy pack incident_response/ > out/.odk-incident-response-privacy.conf ./out/osqtool-$(ARCH) --exclude-tags=disabled,disabled-privacy pack incident_response/ > out/.odk-incident-response-privacy.conf
mv out/.odk-incident-response-privacy.conf out/odk-incident-response-privacy.conf mv out/.odk-incident-response-privacy.conf out/odk-incident-response-privacy.conf
out/osquery.conf:
cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
packs: out/odk-detection.conf out/odk-policy.conf out/odk-incident-response.conf out/odk-incident-response-privacy.conf packs: out/odk-detection.conf out/odk-policy.conf out/odk-incident-response.conf out/odk-incident-response-privacy.conf
out/odk-packs.zip: packs out/odk-packs.zip: packs out/osquery.conf
cd out && rm -f .*.conf && zip odk-packs.zip *.conf cd out && rm -f .*.conf && zip odk-packs.zip *.conf
.PHONY: reformat .PHONY: reformat
@ -41,6 +44,14 @@ reformat-updates:
detect: ./out/osqtool-$(ARCH) detect: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) run detection $(SUDO) ./out/osqtool-$(ARCH) run detection
.PHONY: run-detect-pack
run-detect-pack: out/odk-detection.conf
$(SUDO) osqueryi --config_path osquery.conf --pack detection
.PHONY: run-ir-pack
run-ir-pack: out/odk-incident-response.conf
$(SUDO) osqueryi --config_path osquery.conf --pack incident-response
.PHONY: collect .PHONY: collect
collect: ./out/osqtool-$(ARCH) collect: ./out/osqtool-$(ARCH)
mkdir -p $(COLLECT_DIR) mkdir -p $(COLLECT_DIR)

18
osquery.conf Normal file
View File

@ -0,0 +1,18 @@
# This is an example runnable osquery.conf. It does not enable eventing tables
#
# To use this, paste this stanza into your existing osquery.conf file, or use
# it interactively with:
#
# sudo osqueryi --config_path osquery.conf -A osquery_packs
#
# You can specify a pack to run using:
#
# sudo osqueryi --config_path osquery.conf --pack detection
{
"packs": {
"detection": "out/odk-detection.conf",
"incident-response": "out/odk-incident-response.conf",
"policy": "out/odk-policy.conf"
}
}