Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of OSQuery #3

Open
andrewhowdencom opened this issue Dec 11, 2017 · 4 comments
Open

Allow configuration of OSQuery #3

andrewhowdencom opened this issue Dec 11, 2017 · 4 comments

Comments

@andrewhowdencom
Copy link

I think OSQuery uses JSON to configure it's behaviour. Would you be happy getting a PR that allowed configuring it by specifying its full configuration tree in yaml, and using the toJson filter of Ansible to render it to it's final format?

I think this is more flexible and lower overhead than allowing a set of specific configuration option
@andrewhowdencom
Copy link
Author

Also asked in kbrebanov/ansible-osquery#2

@andrewhowdencom andrewhowdencom mentioned this issue Dec 11, 2017
Closed
@ssummer3
Copy link

Sounds like a plan. I'm not interested in separate configs per platform, though, so let's try to make it a minimum viable config.

kbrebanov/ansible-osquery#2

@andrewhowdencom
Copy link
Author

andrewhowdencom commented Dec 11, 2017
edited
Loading

I would likely replicate the existing one? https://github.com/ssummer3/ansible-osquery/blob/master/files/etc/osquery/osquery.conf

Can then be overridden by the playbook variables as required (presumably we'll know the OS at that point from the inventory). Smth like:

---
osquery_configuration:
  options:
    config_plugin: filesystem
    logger_plugin: filesystem
    events_expiry: '3600'
    database_path: "/var/osquery/osquery.db"
    verbose: 'false'
    worker_threads: '2'
    schedule_splay_percent: '10'
    enable_monitor: 'true'
  schedule:
    system_info:
      query: SELECT hostname, cpu_brand, physical_memory FROM system_info;
      interval: 3600
  decorators:
    load:
    - SELECT uuid AS host_uuid FROM system_info;
    - SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;
  packs:
    osquery-monitoring: "/usr/share/osquery/packs/osquery-monitoring.conf"
    incident-response: "/usr/share/osquery/packs/incident-response.conf"
    it-compliance: "/usr/share/osquery/packs/it-compliance.conf"
    vuln-management: "/usr/share/osquery/packs/vuln-management.conf"
    hardware-monitoring: "/usr/share/osquery/packs/hardware-monitoring.conf"

@andrewhowdencom
Copy link
Author

Hmm. This might not need doing. I wonder if copy has the template fallback like template does; in that case, it'd just be possible to dump a better file in the group_vars template fallback location.

I'll test this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewhowdencom @ssummer3