trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #457 from clong/exi_osquery_fixes

Browse Source 
ESXi and Osquery Fixes
This commit is contained in:
Chris Long
2020-06-01 22:55:38 -07:00
committed by GitHub
parent 1980665355 74dda07942
commit ccd9dd3ba8
4 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ESXi/ansible/roles/logger/tasks/main.yml
View File

@@ -340,8 +340,11 @@
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
# Don't log osquery INFO messages
# Fix snapshot event formatting
fleetctl get options > /tmp/options.yaml fleetctl get options > /tmp/options.yaml
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_min_status' '1' /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_min_status' '1'
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' '2'
fleetctl apply -f /tmp/options.yaml fleetctl apply -f /tmp/options.yaml
# Use fleetctl to import YAML files # Use fleetctl to import YAML files

2
ESXi/main.tf
View File

@@ -72,7 +72,7 @@ resource "esxi_guest" "dc" {
boot_disk_type = "thin" boot_disk_type = "thin"
boot_disk_size = "35" boot_disk_size = "35"
memsize = "2048" memsize = "4096"
numvcpus = "2" numvcpus = "2"
resource_pool_name = "/" resource_pool_name = "/"
power = "on" power = "on"

2
Vagrant/bootstrap.sh
View File

@@ -267,8 +267,10 @@ import_osquery_config_into_fleet() {
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
# Don't log osquery INFO messages # Don't log osquery INFO messages
# Fix snapshot event formatting
fleetctl get options > /tmp/options.yaml fleetctl get options > /tmp/options.yaml
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_min_status' '1' /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_min_status' '1'
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' '2'
fleetctl apply -f /tmp/options.yaml fleetctl apply -f /tmp/options.yaml
# Use fleetctl to import YAML files # Use fleetctl to import YAML files

2
Vagrant/scripts/install-osquery.ps1
View File

@@ -26,6 +26,8 @@ If (-not ($service)) {
(Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content "c:\Program Files\osquery\osquery.flags" (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content "c:\Program Files\osquery\osquery.flags"
## Change path to certfile ## Change path to certfile
(Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content "c:\Program Files\osquery\osquery.flags" (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content "c:\Program Files\osquery\osquery.flags"
## Remove the verbose flag and replace it with the logger_min_status=1 option (See https://github.com/osquery/osquery/issues/5212)
(Get-Content "c:\Program Files\osquery\osquery.flags") -replace '--verbose=true', '--logger_min_status=1' | Set-Content "c:\Program Files\osquery\osquery.flags"
## Add certfile.crt ## Add certfile.crt
Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\Program Files\osquery\certfile.crt" Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\Program Files\osquery\certfile.crt"
## Start the service ## Start the service