Home

Awesome

Palantir osquery Configuration

About This Repository

This repository is the companion to the osquery Across the Enterprise blog post.

The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is exactly what we have done with our unwanted-chrome-extensions query pack and additions to the windows-attacks pack.

However, we have included additional query packs that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when operators have carefully considered the datasets to be collected and the potential use-cases for that data.

Note: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below:

Repository Layout

This repository is organized as follows:

Within each of those folders, you will find the following subdirectories:

Using This Repository

Note: We recommend that you spin up a lab environment before deploying any of these configurations to a production environment.

Endpoints Configuration Overview

Servers Configuration Overview

Quickstart - Classic

  1. Install osquery
  2. Copy the osquery.conf and osquery.flags files from this repository onto the system and match the directory structure shown below
  3. Start osquery via sudo osqueryctl start on Linux/MacOS or Start-Process osqueryd on Windows
  4. Logs are located in /var/log/osquery (Linux/MacOS) and c:\ProgramData\osquery\logs (Windows)

Quickstart - Fleet

Install Fleet version 2.0.0 or higher 2. Enroll hosts to your Fleet server by configuring the appropriate [flags] 3. Configure the fleetctl utility to communicate with your Fleet server 4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them:

git clone https://github.com/palantir/osquery-configuration.git
fleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml;
 do fleetctl apply -f "$pack"
done

The desired osquery directory structure for Linux, MacOS, and Windows is outlined below:

Linux

$ git clone https://github.com/palantir/osquery-configuration.git
$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery
$ sudo osqueryctl start

/etc/osquery
├── osquery.conf
├── osquery.db
├── osquery.flags
└── packs
    └── ossec-rootkit.conf

MacOS

$ git clone https://github.com/palantir/osquery-configuration.git
$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery
$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs
$ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags   ## Non-TLS server testing
$ sudo osqueryctl start

/var/osquery
├── certfile.crt [if using TLS endpoint]
├── osquery.conf
├── osquery.db
├── osquery.flags
└── packs
    ├── performance-metrics.conf
    ├── security-tooling-checks.conf
    ├── unwanted-chrome-extensions.conf
    └── osx-attacks.conf

Windows

PS> git clone https://github.com/palantir/osquery-configuration.git
PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery
PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs
PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force   ## Non-TLS server testing
PS> start-service osqueryd

c:\ProgramData\osquery
├── certfile.crt [if using TLS endpoint]
├── log
├── osquery.conf
├── osquery.db
├── osquery.flags
├── osqueryi.exe
├─── osqueryd
|    └── osqueryd.exe
└── packs
    ├── performance-metrics.conf
    ├── security-tooling-checks.conf
    ├── unwanted-chrome-extensions.conf
    ├── windows-application-security.conf
    ├── windows-compliance.conf
    ├── windows-registry-monitoring.conf
    └── windows-attacks.conf

Contributing

Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request.

License

MIT License

Copyright (c) 2017 Palantir Technologies Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.