Skip to content
This repository was archived by the owner on Sep 19, 2024. It is now read-only.
/ osquery-starter-kit Public archive

A starter-kit for a source-controlled, CLI-based osquery management workflow.

kolide.com/fleet

License

MIT license
30 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kolide/osquery-starter-kit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
packs
packs
 
 
queries
queries
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.yaml
config.yaml
 
 
labels.yaml
labels.yaml
 
 
options.yaml
options.yaml
 
 

Repository files navigation

Osquery Starter Kit

When you're getting started with osquery, it can be difficult to figure out how to gather up as much high-quality, open-source intelligence as possible and deploy it to your fleet along with your own, custom query packs.

To help with this objective, Kolide Fleet supports a command-line workflow for managing osquery configuration via source-controlled, code-audited files. The fleetctl command-line can be used to "apply" a set of declarative configurations idempotently.

This allows you to setup a CI workflow where CI is the only entity that can update osquery configuration, allowing you to enforce an appropriate level of code review to your osquery SQL deployment proceess. Alternatively, you may just want to fleetctl apply your configuration yourself, but you want to have a source-controlled backup of all of your configurations.

This repository aims to be a starting point for people that are looking to deploy osquery and want a code-based workflow that allows for:

  • a text-based osquery configuration experience
    • bring your favorite text editor!
  • a command-line experiencing for managing osquery deployment configurations
  • maximum query re-use
    • use the same query in multiple packs and labels
  • code review throughout the configuration management process
  • easy sharing of osquery intelligence with others

Requirements

To use this repo (or a repo like this), you must be using Kolide Fleet (version 2.0.0 or greater) to manage your osquery deployment and have a locally configured fleetctl binary. If your company already uses Kolide Fleet and you'd like to install the fleetctl CLI, there are a few supported options. On macOS, you can use the Homebrew package manager:

$ brew tap kolide/tap
$ brew install fleet

If you'd rather not use Homebrew or you would like to download fleetctl on another platform, you can download the latest binaries directly from the GitHub Releases page.

Once you have the fleetctl binary in your path, you must configure your local CLI context to target your remote Fleet instance:

$ fleetctl config set --address https://fleet.corp.example.com
[+] Set the address config key to "https://fleet.corp.example.com" in the "default" context

Finally, login via the CLI:

$ fleetctl login
Log in using the standard Fleet credentials.
Email: [email protected]
Password:
[+] Fleet login successful and context configured!

About

A starter-kit for a source-controlled, CLI-based osquery management workflow.

kolide.com/fleet

Topics

osquery

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

30 stars

Watchers

15 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •