mirror of
https://github.com/jessfraz/dockerfiles.git
synced 2024-11-23 11:31:49 +01:00
add osquery
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
This commit is contained in:
parent
bb68fa5b01
commit
f6561b6957
|
@ -113,6 +113,7 @@ MidnightCommander/mc
|
||||||
zyedidia/micro
|
zyedidia/micro
|
||||||
nzbget/nzbget
|
nzbget/nzbget
|
||||||
bitly/oauth2_proxy
|
bitly/oauth2_proxy
|
||||||
|
facebook/osquery
|
||||||
Tautulli/Tautulli
|
Tautulli/Tautulli
|
||||||
perkeep/perkeep
|
perkeep/perkeep
|
||||||
powershell/powershell
|
powershell/powershell
|
||||||
|
|
33
osquery/Dockerfile
Normal file
33
osquery/Dockerfile
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
FROM debian:buster-slim
|
||||||
|
LABEL maintainer "Jessie Frazelle <jess@linux.com>"
|
||||||
|
|
||||||
|
RUN apt-get update && apt-get install -y \
|
||||||
|
ca-certificates \
|
||||||
|
--no-install-recommends \
|
||||||
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
ENV OSQUERY_VERSION 3.2.6
|
||||||
|
|
||||||
|
RUN buildDeps=' \
|
||||||
|
curl \
|
||||||
|
' \
|
||||||
|
&& set -x \
|
||||||
|
&& apt-get update && apt-get install -y $buildDeps --no-install-recommends \
|
||||||
|
&& rm -rf /var/lib/apt/lists/* \
|
||||||
|
&& mkdir -p /usr/src/osquery \
|
||||||
|
&& curl -sSL "https://pkg.osquery.io/linux/osquery-${OSQUERY_VERSION}_1.linux_x86_64.tar.gz" | tar -vxzC / --strip-components 1 \
|
||||||
|
&& apt-get purge -y --auto-remove $buildDeps \
|
||||||
|
&& chmod a+x /usr/bin/osquery*
|
||||||
|
|
||||||
|
COPY osquery.example.conf /etc/osquery/osquery.conf
|
||||||
|
|
||||||
|
ENV HOME /home/user
|
||||||
|
RUN useradd --create-home --home-dir $HOME user \
|
||||||
|
&& chown -R user:user $HOME /etc/osquery /var/osquery /usr/share/osquery /var/log/osquery
|
||||||
|
|
||||||
|
WORKDIR $HOME
|
||||||
|
|
||||||
|
USER user
|
||||||
|
|
||||||
|
ENTRYPOINT [ "osqueryd", "--pidfile", "/home/user/osqueryd.pidfile" ]
|
||||||
|
CMD [ "--config_path=/etc/osquery/osquery.conf", "--verbose", "--docker_socket=/var/run/docker.sock", "--host_identifier=hostname", "--disable_distributed=false", "--distributed_plugin=tls" ]
|
92
osquery/osquery.example.conf
Normal file
92
osquery/osquery.example.conf
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
{
|
||||||
|
// Configure the daemon below:
|
||||||
|
"options": {
|
||||||
|
// Select the osquery config plugin.
|
||||||
|
"config_plugin": "filesystem",
|
||||||
|
|
||||||
|
// Select the osquery logging plugin.
|
||||||
|
"logger_plugin": "filesystem",
|
||||||
|
|
||||||
|
// The log directory stores info, warning, and errors.
|
||||||
|
// If the daemon uses the 'filesystem' logging retriever then the log_dir
|
||||||
|
// will also contain the query results.
|
||||||
|
//"logger_path": "/var/log/osquery",
|
||||||
|
|
||||||
|
// Set 'disable_logging' to true to prevent writing any info, warning, error
|
||||||
|
// logs. If a logging plugin is selected it will still write query results.
|
||||||
|
//"disable_logging": "false",
|
||||||
|
|
||||||
|
// Query differential results are logged as change-events to assist log
|
||||||
|
// aggregation operations like searching and transactions.
|
||||||
|
// Set 'log_result_events' to log differentials as transactions.
|
||||||
|
//"log_result_events": "true",
|
||||||
|
|
||||||
|
// Splay the scheduled interval for queries.
|
||||||
|
// This is very helpful to prevent system performance impact when scheduling
|
||||||
|
// large numbers of queries that run a smaller or similar intervals.
|
||||||
|
//"schedule_splay_percent": "10",
|
||||||
|
|
||||||
|
// Write the pid of the osqueryd process to a pidfile/mutex.
|
||||||
|
//"pidfile": "/var/osquery/osquery.pidfile",
|
||||||
|
|
||||||
|
// Clear events from the osquery backing store after a number of seconds.
|
||||||
|
"events_expiry": "3600",
|
||||||
|
|
||||||
|
// A filesystem path for disk-based backing storage used for events and
|
||||||
|
// query results differentials. See also 'use_in_memory_database'.
|
||||||
|
"database_path": "/var/osquery/osquery.db",
|
||||||
|
|
||||||
|
// Comma-delimited list of table names to be disabled.
|
||||||
|
// This allows osquery to be launched without certain tables.
|
||||||
|
//"disable_tables": "foo_bar,time",
|
||||||
|
|
||||||
|
// Enable debug or verbose debug output when logging.
|
||||||
|
"verbose": "false",
|
||||||
|
|
||||||
|
// The number of threads for concurrent query schedule execution.
|
||||||
|
"worker_threads": "2",
|
||||||
|
|
||||||
|
// Enable schedule profiling, this will fill in averages and totals for
|
||||||
|
// system/user CPU time and memory for every query in the schedule.
|
||||||
|
// Add a query: "select * from osquery_schedule" to record the performances.
|
||||||
|
"enable_monitor": "true"
|
||||||
|
},
|
||||||
|
|
||||||
|
// Define a schedule of queries:
|
||||||
|
"schedule": {
|
||||||
|
// This is a simple example query that outputs basic system information.
|
||||||
|
"system_info": {
|
||||||
|
// The exact query to run.
|
||||||
|
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
|
||||||
|
// The interval in seconds to run this query, not an exact interval.
|
||||||
|
"interval": 3600
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
// Decorators are normal queries that append data to every query.
|
||||||
|
"decorators": {
|
||||||
|
"load": [
|
||||||
|
"SELECT uuid AS host_uuid FROM system_info;",
|
||||||
|
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
|
||||||
|
// Add default osquery packs or install your own.
|
||||||
|
//
|
||||||
|
// There are several 'default' packs installed with 'make install' or via
|
||||||
|
// packages and/or Homebrew.
|
||||||
|
//
|
||||||
|
// Linux: /usr/share/osquery/packs
|
||||||
|
// OS X: /var/osquery/packs
|
||||||
|
// Homebrew: /usr/local/share/osquery/packs
|
||||||
|
// make install: {PREFIX}/share/osquery/packs
|
||||||
|
//
|
||||||
|
"packs": {
|
||||||
|
// "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
|
||||||
|
// "incident-response": "/usr/share/osquery/packs/incident-response.conf",
|
||||||
|
// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
|
||||||
|
// "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
|
||||||
|
// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
|
||||||
|
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user