valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,607 Commits 2 Branches 109 Tags 25 MiB
8b1ac7ebaf
Commit Graph

32 Commits

Author SHA1 Message Date
Teddy Reed
8b1ac7ebaf Adding deployment debugging documentation 2016-01-20 16:22:32 -08:00
Teddy Reed
0a7dcbb967 Merge pull request #1719 from jacknagz/osx-config-docs 
Resolves #1718: Updated LaunchDaemon and Chef Template
 2015-12-11 14:01:58 -08:00
Teddy Reed
98eb6a5055 Reorganize file_events into process_file_events 2015-12-11 00:58:22 -08:00
Jack Naglieri
b396972ef7 Resolves #1718: Updated LaunchDaemon and Chef Template 2015-12-10 19:16:29 -08:00
Teddy Reed
9d394065e3 [#1636] Add simple sharding to packs and pack queries 2015-12-10 10:01:53 -08:00
Teddy Reed
eeff5d0bf0 [#1676] Clear node key on node_invalid 2015-12-06 14:28:00 -08:00
Teddy Reed
15c4673c5a Add pack_delimiter option 2015-11-02 18:05:46 -08:00
Teddy Reed
ba4eeb6a80 [#1600] Put inotify into a mod-only watch mode 2015-10-27 16:42:21 -07:00
Teddy Reed
2e7415f871 Convert wiki to UNIX format and refresh most content 2015-10-15 12:18:16 -07:00
Mike Arpaia
aaa03a1058 Distributed queries client-side 2015-09-08 13:33:48 -07:00
Mike Arpaia
a140333441 [fix #1390] query pack re-org 
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.

The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.

Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.

For more information, refer to #1390, the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:

```json
{
  "options": {
    "enable_monitor": "true"
  },
  "packs": {
    "core_os_monitoring": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "kernel_modules": {
              "query": "SELECT name, size FROM kernel_modules;",
              "interval": 600
          },
          "system_controls": {
              "query": "SELECT * FROM system_controls;",
              "interval": 600,
              "snapshot": true,
          },
          "usb_devices": {
              "query": "SELECT * FROM usb_devices;",
              "interval": 600
          }
        }
    },
    "osquery_internal_info": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "info": {
              "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
              "interval": 60,
              "snapshot": true
          },
          "registry": {
              "query": "SELECT * FROM osquery_registry;",
              "interval": 600,
              "snapshot": true
          },
          "schedule": {
              "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
              "interval": 60,
              "snapshot": true
          }
        }
    }
  }
}
```

The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.

Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
 2015-09-02 10:56:26 -07:00
Teddy Reed
0e16f56c8d Add 'hidden' flags to customize TLS plugins 2015-08-28 12:57:53 -07:00
Kevin Thompson
e8772f2603 Adds an enroll_secret_env flag that allows the user to specify that 
the enroll secret for TLS enrollment is stored in an environment
variable rather than a file.
 2015-08-25 21:11:19 -05:00
Allister Banks
153fbdff0d osqueryctl subcommand reversed in doc 
Yes it immediately told me about it, this is just a docs tweak to
reflect the proper order. 😅
 2015-08-19 13:09:25 -04:00
Teddy Reed
b9ded9e7af [#1402] Add notes around pack paths in example.conf 2015-08-12 17:15:42 -07:00
Artur Chmiel
c0be6b5ba1 Fixed URLs and some typos in the documentation 2015-07-16 23:17:22 +02:00
Artur Chmiel
cb1856654d Various fixes to the documentation 2015-07-11 23:37:25 +02:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00
Teddy Reed
0c6c1e3a62 Various quality control fixes 2015-06-12 01:32:24 -07:00
Teddy Reed
727f5b091f Various table perf improvements and TLS docs 2015-06-05 22:03:15 -07:00
Teddy Reed
a105924804 Move specs to a top-level path, add query examples 
1. Example queries will run with an (optional) integration test.
2. Fix bad accesses with OS X package BOMs
3. Move spec files from ./osquery/tables/specs to ./specs
4. Remove server parsers (netlib) from client builds.
 2015-06-03 10:39:05 -07:00
Teddy Reed
6591916fed [#1076] RTD wiki article on extensions autoloading 2015-05-28 16:27:29 -07:00
Mike Arpaia
fff36af0af Removing trailing whitespace 2015-05-11 23:31:13 -07:00
Teddy Reed
e01a73b4f3 Schedule monitoring, doc updates, logger plugin fixes 2015-05-03 11:54:15 -07:00
Sharvil Shah
cb396bd7b7 fix 404s as a result of relative links not having .md extension 2015-05-02 04:12:21 -07:00
Sharvil Shah
35c6cb8f39 Fix https mixed content warning by updating image links to https 2015-05-02 03:35:05 -07:00
Ari Rubinstein
a69a4b1903 First iteration of FIM documentation 2015-04-29 12:46:51 -07:00
Wesley Shields
f431280c2e Address concerns from Mike. 
Mostly cleanup as it moved from a gist to get the word out to docs.

This does assume that the change from file_changes to file_events
in #1049 will happen.
 2015-04-28 21:55:22 -04:00
Wesley Shields
5de1f484df First cut at YARA docs. 2015-04-27 23:59:55 -04:00
Teddy Reed
8930f9e692 Documentation updates, separate config/logging pages 
Mostly minor documentation/wiki/guide fixes.
The breaks down the "using osqueryd" page into more of a summary
of what the daemon does from a schedule/logging perspective.

The bulk of the "using osqueryd" page now exists in the configuration
deployment page and the new "logging" deployment page.
 2015-04-18 22:09:25 -07:00
Teddy Reed
e69f72cd56 Documentation updates 2015-04-10 14:31:34 -07:00
Teddy Reed
2df9a6558e Add some osquery-theme to API docs 2015-04-06 01:21:10 -07:00