search

seansummers / ansible-osquery

Ansible role for osquery
https://osquery.io/
Other
1 stars 0 forks source link

Allow configuration of OSQuery #3

Open andrewhowdencom opened 6 years ago

andrewhowdencom commented 6 years ago

I think OSQuery uses JSON to configure it's behaviour. Would you be happy getting a PR that allowed configuring it by specifying its full configuration tree in yaml, and using the toJson filter of Ansible to render it to it's final format?

I think this is more flexible and lower overhead than allowing a set of specific configuration option

andrewhowdencom commented 6 years ago

Also asked in https://github.com/kbrebanov/ansible-osquery/issues/2

ssummer3 commented 6 years ago

Sounds like a plan. I'm not interested in separate configs per platform, though, so let's try to make it a minimum viable config.

https://github.com/kbrebanov/ansible-osquery/issues/2

andrewhowdencom commented 6 years ago

I would likely replicate the existing one? https://github.com/ssummer3/ansible-osquery/blob/master/files/etc/osquery/osquery.conf

Can then be overridden by the playbook variables as required (presumably we'll know the OS at that point from the inventory). Smth like:

---
osquery_configuration:
  options:
    config_plugin: filesystem
    logger_plugin: filesystem
    events_expiry: '3600'
    database_path: "/var/osquery/osquery.db"
    verbose: 'false'
    worker_threads: '2'
    schedule_splay_percent: '10'
    enable_monitor: 'true'
  schedule:
    system_info:
      query: SELECT hostname, cpu_brand, physical_memory FROM system_info;
      interval: 3600
  decorators:
    load:
    - SELECT uuid AS host_uuid FROM system_info;
    - SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;
  packs:
    osquery-monitoring: "/usr/share/osquery/packs/osquery-monitoring.conf"
    incident-response: "/usr/share/osquery/packs/incident-response.conf"
    it-compliance: "/usr/share/osquery/packs/it-compliance.conf"
    vuln-management: "/usr/share/osquery/packs/vuln-management.conf"
    hardware-monitoring: "/usr/share/osquery/packs/hardware-monitoring.conf"
andrewhowdencom commented 6 years ago

Hmm. This might not need doing. I wonder if copy has the template fallback like template does; in that case, it'd just be possible to dump a better file in the group_vars template fallback location.

I'll test this.