empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 09:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ee0a400a60
fleet/examples/config-single-file.yml

246 lines
6.2 KiB
YAML
Raw Blame History

---
apiVersion: kolide.com/v1alpha1
kind: OsqueryOptions
spec:
config:
options:
distributed_interval: 3
distributed_tls_max_attempts: 3
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
decorators:
load:
- "SELECT version FROM osquery_info"
- "SELECT uuid AS host_uuid FROM system_info"
always:
- "SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time LIMIT 1"
interval:
3600: "SELECT total_seconds AS uptime FROM uptime"
overrides:
# Note configs in overrides take precedence over the default config defined
# under the config key above. With this config file, the base config would
# only be used for Windows hosts, while Mac and Linux hosts would pull
# these overrides.
platforms:
darwin:
options:
distributed_interval: 10
distributed_tls_max_attempts: 10
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 300
disable_tables: chrome_extensions
docker_socket: /var/run/docker.sock
file_paths:
users:
- /Users/%/Library/%%
- /Users/%/Documents/%%
etc:
- /etc/%%
linux:
options:
distributed_interval: 10
distributed_tls_max_attempts: 3
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 60
schedule_timeout: 60
docker_socket: /etc/run/docker.sock
file_paths:
homes:
- /root/.ssh/%%
- /home/%/.ssh/%%
etc:
- /etc/%%
tmp:
- /tmp/%%
exclude_paths:
homes:
- /home/not_to_monitor/.ssh/%%
tmp:
- /tmp/too_many_events/
decorators:
load:
- "SELECT * FROM cpuid"
- "SELECT * FROM docker_info"
interval:
3600: "SELECT total_seconds AS uptime FROM uptime"
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
name: all_hosts
query: always_true
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
name: macs
query: darwin_hosts
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
name: ubuntu
query: ubuntu_hosts
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
name: centos
query: centos_hosts
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
name: windows
query: windows_hosts
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
query: pending_updates
platforms:
- darwin
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryLabel
spec:
query: slack_not_running
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryPack
spec:
name: osquery_monitoring
targets:
labels:
- all_hosts
queries:
- query: osquery_version
name: osquery_version_snapshot
interval: 7200
snapshot: true
- query: osquery_version
name: osquery_version_differential
interval: 7200
- query: osquery_schedule
interval: 7200
removed: false
- query: osquery_events
interval: 86400
removed: false
- query: oquery_info
interval: 600
removed: false
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: osquery_version
description: The version of the Launcher and Osquery process
query: select launcher.version, osquery.version from kolide_launcher_info launcher, osquery_info osquery;
support:
launcher: 0.3.0
osquery: 2.9.0
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: osquery_schedule
description: Report performance stats for each file in the query schedule.
query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: osquery_info
description: A heartbeat counter that reports general performance (CPU, memory) and version.
query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: osquery_events
description: Report event publisher health and track event counters.
query: select name, publisher, type, subscriptions, events, active from osquery_events;
apiVersion: kolide.com/v1alpha1
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: docker_processes
descriptions: The docker containers processes that are running on a system.
query: select * from docker_container_processes;
support:
osquery: 2.9.0
platforms:
- linux
- darwin
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: hostname
query: select hostname from system_info;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: uuid
query: select uuid from osquery_info;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: instance_id
query: select instance_id from system_info;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: always_true
query: select 1;
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: pending_updates
query: SELECT value from plist where path = "/Library/Preferences/ManagedInstalls.plist" and key = "PendingUpdateCount" and value > "0";
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: slack_not_running
query: >
SELECT * from system_info
WHERE NOT EXISTS (
SELECT *
FROM processes
WHERE name LIKE "%Slack%"
);
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: centos_hosts
query: select 1 from os_version where platform = "centos";
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: ubuntu_hosts
query: select 1 from os_version where platform = "ubuntu";
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: windows_hosts
query: select 1 from os_version where platform = "windows";
---
apiVersion: kolide.com/v1alpha1
kind: OsqueryQuery
spec:
name: darwin_hosts
query: select 1 from os_version where platform = "darwin";
Reference in New Issue View Git Blame Copy Permalink