Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@primary osquery]# cat /etc/osquery/osquery.conf
- {
- // Configure the daemon below:
- "options": {
- // Select the osquery config plugin.
- "config_plugin": "filesystem",
- // Select the osquery logging plugin.
- "logger_plugin": "filesystem",
- // The log directory stores info, warning, and errors.
- // If the daemon uses the 'filesystem' logging retriever then the log_dir
- // will also contain the query results.
- //"logger_path": "/var/log/osquery",
- // Set 'disable_logging' to true to prevent writing any info, warning, error
- // logs. If a logging plugin is selected it will still write query results.
- //"disable_logging": "false",
- // Splay the scheduled interval for queries.
- // This is very helpful to prevent system performance impact when scheduling
- // large numbers of queries that run a smaller or similar intervals.
- //"schedule_splay_percent": "10",
- // A filesystem path for disk-based backing storage used for events and
- // query results differentials. See also 'use_in_memory_database'.
- //"database_path": "/var/osquery/osquery.db",
- // Comma-delimited list of table names to be disabled.
- // This allows osquery to be launched without certain tables.
- "disable_tables": "windows_events",
- // Comma-delimited list of table names to be enabled.
- // This allows osquery to be launched with certain tables only.
- //"enable_tables": "foo_bar,time",
- // hopefully turns off windows event monitoring.
- // "windows_event_channels: "",
- // debug logging set to true
- "verbose": "true",
- // Needed for FIM
- "enable_monitor": "true",
- "disable_events": "false",
- "disable_audit": "false",
- "disable_logging": false,
- "utc": "true"
- },
- // Define a schedule of queries:
- "schedule": {
- // This is a simple example query that outputs basic system information.
- "system_info": {
- // The exact query to run.
- "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
- // The interval in seconds to run this query, not an exact interval.
- "interval": 3600
- }
- },
- // Decorators are normal queries that append data to every query.
- "decorators": {
- "load": [
- "SELECT uuid AS host_uuid FROM system_info;",
- "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
- ]
- },
- // Add default osquery packs or install your own.
- //
- // There are several 'default' packs installed with 'make install' or via
- // packages and/or Homebrew.
- //
- // Linux: /usr/share/osquery/packs
- // OS X: /var/osquery/packs
- // Homebrew: /usr/local/share/osquery/packs
- // make install: {PREFIX}/share/osquery/packs
- //
- "packs": {
- "osquery-splunk-addon": "/opt/splunk/etc/apps/TA-OSQuery/default/query_pack.conf",
- "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
- // "incident-response": "/usr/share/osquery/packs/incident-response.conf",
- // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
- // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
- // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
- // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
- // "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
- // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
- // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
- },
- // Provides feature vectors for osquery to leverage in simple statistical
- // analysis of results data.
- //
- // Currently this configuration is only used by Windows in the Powershell
- // Events table, wherein character_frequencies is a list of doubles
- // representing the aggregate occurrence of character values in Powershell
- // Scripts. A default configuration is provided which was adapated from
- // Lee Holmes cobbr project:
- // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
- //
- "feature_vectors": {
- "character_frequencies": [
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.00045, 0.01798,
- 0.0, 0.03111, 0.00063, 0.00027, 0.0, 0.01336, 0.0133,
- 0.00128, 0.0027, 0.00655, 0.01932, 0.01917, 0.00432, 0.0045,
- 0.00316, 0.00245, 0.00133, 0.001029, 0.00114, 0.000869, 0.00067,
- 0.000759, 0.00061, 0.00483, 0.0023, 0.00185, 0.01342, 0.00196,
- 0.00035, 0.00092, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895,
- 0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875,
- 0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658,
- 0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077,
- 0.00621, 0.00222, 0.0062, 0.0, 0.00538, 0.00122, 0.027875,
- 0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737,
- 0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295,
- 0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451,
- 0.005865, 0.003255, 0.005965, 0.00077, 0.00771, 0.002379, 0.00766,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
- 0.0, 0.0, 0.0
- ]
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
