Advertisement
Guest User

Untitled

a guest
Jul 14th, 2020
55
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.79 KB | None | 0 0
  1. [root@primary osquery]# cat /etc/osquery/osquery.conf
  2. {
  3. // Configure the daemon below:
  4. "options": {
  5. // Select the osquery config plugin.
  6. "config_plugin": "filesystem",
  7.  
  8. // Select the osquery logging plugin.
  9. "logger_plugin": "filesystem",
  10.  
  11. // The log directory stores info, warning, and errors.
  12. // If the daemon uses the 'filesystem' logging retriever then the log_dir
  13. // will also contain the query results.
  14. //"logger_path": "/var/log/osquery",
  15.  
  16. // Set 'disable_logging' to true to prevent writing any info, warning, error
  17. // logs. If a logging plugin is selected it will still write query results.
  18. //"disable_logging": "false",
  19.  
  20. // Splay the scheduled interval for queries.
  21. // This is very helpful to prevent system performance impact when scheduling
  22. // large numbers of queries that run a smaller or similar intervals.
  23. //"schedule_splay_percent": "10",
  24.  
  25. // A filesystem path for disk-based backing storage used for events and
  26. // query results differentials. See also 'use_in_memory_database'.
  27. //"database_path": "/var/osquery/osquery.db",
  28.  
  29. // Comma-delimited list of table names to be disabled.
  30. // This allows osquery to be launched without certain tables.
  31. "disable_tables": "windows_events",
  32.  
  33. // Comma-delimited list of table names to be enabled.
  34. // This allows osquery to be launched with certain tables only.
  35. //"enable_tables": "foo_bar,time",
  36.  
  37. // hopefully turns off windows event monitoring.
  38. // "windows_event_channels: "",
  39.  
  40. // debug logging set to true
  41. "verbose": "true",
  42.  
  43. // Needed for FIM
  44. "enable_monitor": "true",
  45. "disable_events": "false",
  46. "disable_audit": "false",
  47.  
  48. "disable_logging": false,
  49.  
  50.  
  51. "utc": "true"
  52.  
  53. },
  54.  
  55. // Define a schedule of queries:
  56. "schedule": {
  57. // This is a simple example query that outputs basic system information.
  58. "system_info": {
  59. // The exact query to run.
  60. "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
  61. // The interval in seconds to run this query, not an exact interval.
  62. "interval": 3600
  63. }
  64. },
  65.  
  66. // Decorators are normal queries that append data to every query.
  67. "decorators": {
  68. "load": [
  69. "SELECT uuid AS host_uuid FROM system_info;",
  70. "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
  71. ]
  72. },
  73.  
  74. // Add default osquery packs or install your own.
  75. //
  76. // There are several 'default' packs installed with 'make install' or via
  77. // packages and/or Homebrew.
  78. //
  79. // Linux: /usr/share/osquery/packs
  80. // OS X: /var/osquery/packs
  81. // Homebrew: /usr/local/share/osquery/packs
  82. // make install: {PREFIX}/share/osquery/packs
  83. //
  84. "packs": {
  85. "osquery-splunk-addon": "/opt/splunk/etc/apps/TA-OSQuery/default/query_pack.conf",
  86. "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
  87. // "incident-response": "/usr/share/osquery/packs/incident-response.conf",
  88. // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
  89. // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
  90. // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
  91. // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
  92. // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
  93. // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
  94. // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
  95. },
  96.  
  97. // Provides feature vectors for osquery to leverage in simple statistical
  98. // analysis of results data.
  99. //
  100. // Currently this configuration is only used by Windows in the Powershell
  101. // Events table, wherein character_frequencies is a list of doubles
  102. // representing the aggregate occurrence of character values in Powershell
  103. // Scripts. A default configuration is provided which was adapated from
  104. // Lee Holmes cobbr project:
  105. // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
  106. //
  107. "feature_vectors": {
  108. "character_frequencies": [
  109. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  110. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  111. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  112. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  113. 0.0, 0.0, 0.0, 0.0, 0.0, 0.00045, 0.01798,
  114. 0.0, 0.03111, 0.00063, 0.00027, 0.0, 0.01336, 0.0133,
  115. 0.00128, 0.0027, 0.00655, 0.01932, 0.01917, 0.00432, 0.0045,
  116. 0.00316, 0.00245, 0.00133, 0.001029, 0.00114, 0.000869, 0.00067,
  117. 0.000759, 0.00061, 0.00483, 0.0023, 0.00185, 0.01342, 0.00196,
  118. 0.00035, 0.00092, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895,
  119. 0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875,
  120. 0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658,
  121. 0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077,
  122. 0.00621, 0.00222, 0.0062, 0.0, 0.00538, 0.00122, 0.027875,
  123. 0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737,
  124. 0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295,
  125. 0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451,
  126. 0.005865, 0.003255, 0.005965, 0.00077, 0.00771, 0.002379, 0.00766,
  127. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  128. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  129. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  130. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  131. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  132. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  133. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  134. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  135. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  136. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  137. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  138. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  139. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  140. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  141. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  142. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  143. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  144. 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
  145. 0.0, 0.0, 0.0
  146. ]
  147. }
  148. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement