From f6561b6957b7adce02c1942f4373712a5af7a440 Mon Sep 17 00:00:00 2001 From: Jess Frazelle Date: Sat, 21 Jul 2018 18:11:52 -0400 Subject: [PATCH] add osquery Signed-off-by: Jess Frazelle --- latest-versions.sh | 1 + osquery/Dockerfile | 33 +++++++++++++ osquery/osquery.example.conf | 92 ++++++++++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 osquery/Dockerfile create mode 100644 osquery/osquery.example.conf diff --git a/latest-versions.sh b/latest-versions.sh index ab1e2ce..22c8a2e 100755 --- a/latest-versions.sh +++ b/latest-versions.sh @@ -113,6 +113,7 @@ MidnightCommander/mc zyedidia/micro nzbget/nzbget bitly/oauth2_proxy +facebook/osquery Tautulli/Tautulli perkeep/perkeep powershell/powershell diff --git a/osquery/Dockerfile b/osquery/Dockerfile new file mode 100644 index 0000000..f9d9805 --- /dev/null +++ b/osquery/Dockerfile @@ -0,0 +1,33 @@ +FROM debian:buster-slim +LABEL maintainer "Jessie Frazelle " + +RUN apt-get update && apt-get install -y \ + ca-certificates \ + --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* + +ENV OSQUERY_VERSION 3.2.6 + +RUN buildDeps=' \ + curl \ + ' \ + && set -x \ + && apt-get update && apt-get install -y $buildDeps --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /usr/src/osquery \ + && curl -sSL "https://pkg.osquery.io/linux/osquery-${OSQUERY_VERSION}_1.linux_x86_64.tar.gz" | tar -vxzC / --strip-components 1 \ + && apt-get purge -y --auto-remove $buildDeps \ + && chmod a+x /usr/bin/osquery* + +COPY osquery.example.conf /etc/osquery/osquery.conf + +ENV HOME /home/user +RUN useradd --create-home --home-dir $HOME user \ + && chown -R user:user $HOME /etc/osquery /var/osquery /usr/share/osquery /var/log/osquery + +WORKDIR $HOME + +USER user + +ENTRYPOINT [ "osqueryd", "--pidfile", "/home/user/osqueryd.pidfile" ] +CMD [ "--config_path=/etc/osquery/osquery.conf", "--verbose", "--docker_socket=/var/run/docker.sock", "--host_identifier=hostname", "--disable_distributed=false", "--distributed_plugin=tls" ] diff --git a/osquery/osquery.example.conf b/osquery/osquery.example.conf new file mode 100644 index 0000000..156ee97 --- /dev/null +++ b/osquery/osquery.example.conf @@ -0,0 +1,92 @@ +{ + // Configure the daemon below: + "options": { + // Select the osquery config plugin. + "config_plugin": "filesystem", + + // Select the osquery logging plugin. + "logger_plugin": "filesystem", + + // The log directory stores info, warning, and errors. + // If the daemon uses the 'filesystem' logging retriever then the log_dir + // will also contain the query results. + //"logger_path": "/var/log/osquery", + + // Set 'disable_logging' to true to prevent writing any info, warning, error + // logs. If a logging plugin is selected it will still write query results. + //"disable_logging": "false", + + // Query differential results are logged as change-events to assist log + // aggregation operations like searching and transactions. + // Set 'log_result_events' to log differentials as transactions. + //"log_result_events": "true", + + // Splay the scheduled interval for queries. + // This is very helpful to prevent system performance impact when scheduling + // large numbers of queries that run a smaller or similar intervals. + //"schedule_splay_percent": "10", + + // Write the pid of the osqueryd process to a pidfile/mutex. + //"pidfile": "/var/osquery/osquery.pidfile", + + // Clear events from the osquery backing store after a number of seconds. + "events_expiry": "3600", + + // A filesystem path for disk-based backing storage used for events and + // query results differentials. See also 'use_in_memory_database'. + "database_path": "/var/osquery/osquery.db", + + // Comma-delimited list of table names to be disabled. + // This allows osquery to be launched without certain tables. + //"disable_tables": "foo_bar,time", + + // Enable debug or verbose debug output when logging. + "verbose": "false", + + // The number of threads for concurrent query schedule execution. + "worker_threads": "2", + + // Enable schedule profiling, this will fill in averages and totals for + // system/user CPU time and memory for every query in the schedule. + // Add a query: "select * from osquery_schedule" to record the performances. + "enable_monitor": "true" + }, + + // Define a schedule of queries: + "schedule": { + // This is a simple example query that outputs basic system information. + "system_info": { + // The exact query to run. + "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", + // The interval in seconds to run this query, not an exact interval. + "interval": 3600 + } + }, + + // Decorators are normal queries that append data to every query. + "decorators": { + "load": [ + "SELECT uuid AS host_uuid FROM system_info;", + "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" + ] + }, + + // Add default osquery packs or install your own. + // + // There are several 'default' packs installed with 'make install' or via + // packages and/or Homebrew. + // + // Linux: /usr/share/osquery/packs + // OS X: /var/osquery/packs + // Homebrew: /usr/local/share/osquery/packs + // make install: {PREFIX}/share/osquery/packs + // + "packs": { + // "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf", + // "incident-response": "/usr/share/osquery/packs/incident-response.conf", + // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf", + // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf", + // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf", + // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf" + } +}