2017-11-16 02:10:11 +03:00
|
|
|
---
|
2018-05-08 02:50:20 +03:00
|
|
|
apiVersion: v1
|
|
|
|
kind: options
|
2017-11-12 21:58:19 +03:00
|
|
|
spec:
|
|
|
|
config:
|
2017-12-14 02:14:54 +03:00
|
|
|
options:
|
|
|
|
distributed_interval: 3
|
|
|
|
distributed_tls_max_attempts: 3
|
|
|
|
logger_plugin: tls
|
|
|
|
logger_tls_endpoint: /api/v1/osquery/log
|
|
|
|
logger_tls_period: 10
|
2018-02-09 22:35:09 +03:00
|
|
|
decorators:
|
|
|
|
load:
|
|
|
|
- "SELECT version FROM osquery_info"
|
|
|
|
- "SELECT uuid AS host_uuid FROM system_info"
|
|
|
|
always:
|
|
|
|
- "SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time LIMIT 1"
|
|
|
|
interval:
|
|
|
|
3600: "SELECT total_seconds AS uptime FROM uptime"
|
2017-11-16 21:58:47 +03:00
|
|
|
overrides:
|
2017-12-14 02:14:54 +03:00
|
|
|
# Note configs in overrides take precedence over the default config defined
|
2018-06-28 22:02:31 +03:00
|
|
|
# under the config key above. Hosts receive overrides based on the platform
|
|
|
|
# returned by `SELECT platform FROM os_version`. In this example, the base
|
|
|
|
# config would be used for Windows and CentOS hosts, while Mac and Ubuntu
|
|
|
|
# hosts would receive their respective overrides.
|
2017-11-16 21:58:47 +03:00
|
|
|
platforms:
|
|
|
|
darwin:
|
2017-12-14 02:14:54 +03:00
|
|
|
options:
|
|
|
|
distributed_interval: 10
|
|
|
|
distributed_tls_max_attempts: 10
|
|
|
|
logger_plugin: tls
|
|
|
|
logger_tls_endpoint: /api/v1/osquery/log
|
|
|
|
logger_tls_period: 300
|
|
|
|
disable_tables: chrome_extensions
|
|
|
|
docker_socket: /var/run/docker.sock
|
|
|
|
file_paths:
|
|
|
|
users:
|
|
|
|
- /Users/%/Library/%%
|
|
|
|
- /Users/%/Documents/%%
|
|
|
|
etc:
|
|
|
|
- /etc/%%
|
2018-06-28 22:02:31 +03:00
|
|
|
ubuntu:
|
2017-12-14 02:14:54 +03:00
|
|
|
options:
|
|
|
|
distributed_interval: 10
|
|
|
|
distributed_tls_max_attempts: 3
|
|
|
|
logger_plugin: tls
|
|
|
|
logger_tls_endpoint: /api/v1/osquery/log
|
|
|
|
logger_tls_period: 60
|
|
|
|
schedule_timeout: 60
|
|
|
|
docker_socket: /etc/run/docker.sock
|
|
|
|
file_paths:
|
|
|
|
homes:
|
|
|
|
- /root/.ssh/%%
|
|
|
|
- /home/%/.ssh/%%
|
|
|
|
etc:
|
|
|
|
- /etc/%%
|
|
|
|
tmp:
|
|
|
|
- /tmp/%%
|
|
|
|
exclude_paths:
|
|
|
|
homes:
|
|
|
|
- /home/not_to_monitor/.ssh/%%
|
|
|
|
tmp:
|
|
|
|
- /tmp/too_many_events/
|
2018-02-09 22:35:09 +03:00
|
|
|
decorators:
|
|
|
|
load:
|
|
|
|
- "SELECT * FROM cpuid"
|
|
|
|
- "SELECT * FROM docker_info"
|
|
|
|
interval:
|
|
|
|
3600: "SELECT total_seconds AS uptime FROM uptime"
|