From f909f4808b17ffd5616c6c837cb86206c61dbe20 Mon Sep 17 00:00:00 2001 From: Zachary Wasserman Date: Thu, 16 Nov 2017 10:58:47 -0800 Subject: [PATCH] Make OsqueryOptions hierarchical by platform (#1625) - Allow overriding base config on a per-platform basis. - Merge FIM configs into the OsqueryOptions object. --- docs/cli/README.md | 51 +++++++++++++-------------- examples/config-many-files/config.yml | 30 +++++++++++++--- examples/config-many-files/fim.yml | 14 -------- examples/config-single-file.yml | 44 +++++++++++++---------- 4 files changed, 75 insertions(+), 64 deletions(-) delete mode 100644 examples/config-many-files/fim.yml diff --git a/docs/cli/README.md b/docs/cli/README.md index 118b2a97fa..e2d918570c 100644 --- a/docs/cli/README.md +++ b/docs/cli/README.md @@ -98,7 +98,6 @@ All of these files can be concatenated together into [one file](../../examples/c ``` |-- config.yml |-- decorators.yml -|-- fim.yml |-- labels.yml |-- packs | `-- osquery-monitoring.yml @@ -114,11 +113,31 @@ apiVersion: k8s.kolide.com/v1alpha1 kind: OsqueryOptions spec: config: - - distributed_interval: 3 - - distributed_tls_max_attempts: 3 - - logger_plugin: tls - - logger_tls_endpoint: /api/v1/osquery/log - - logger_tls_period: 10 + distributed_interval: 3 + distributed_tls_max_attempts: 3 + logger_plugin: tls + logger_tls_endpoint: /api/v1/osquery/log + logger_tls_period: 10 + overrides: + # Note configs in overrides take precedence over base configs + platforms: + darwin: + disable_tables: chrome_extensions + docker_socket: /var/run/docker.sock + logger_tls_period: 60 + fim: + interval: 500 + groups: + - name: etc + paths: + - /etc/%% + - name: users + paths: + - /Users/%/Library/%% + - /Users/%/Documents/%% + linux: + schedule_timeout: 60 + docker_socket: /etc/run/docker.sock ``` ### Osquery Logging Decorators @@ -141,26 +160,6 @@ spec: query: select hostname from system_info; ``` -### File Integrity Monitoring - -The following file describes the configuration for osqueryd's file integrity monitoring system. All other FIM configuration will be over-written by the application of this file. - -```yaml -apiVersion: k8s.kolide.com/v1alpha1 -kind: OsqueryFIM -spec: - fim: - interval: 500 - groups: - - name: etc - paths: - - /etc/%% - - name: users - paths: - - /Users/%/Library/%% - - /Users/%/Documents/%% -``` - ### Host Labels The following file describes the labels which hosts should be automatically grouped into. The label resource should reference the query by name. Both of these resources can be included in the same file as such: diff --git a/examples/config-many-files/config.yml b/examples/config-many-files/config.yml index 97e610a480..65f6df4d4d 100644 --- a/examples/config-many-files/config.yml +++ b/examples/config-many-files/config.yml @@ -3,8 +3,28 @@ apiVersion: k8s.kolide.com/v1alpha1 kind: OsqueryOptions spec: config: - - distributed_interval: 3 - - distributed_tls_max_attempts: 3 - - logger_plugin: tls - - logger_tls_endpoint: /api/v1/osquery/log - - logger_tls_period: 10 + distributed_interval: 3 + distributed_tls_max_attempts: 3 + logger_plugin: tls + logger_tls_endpoint: /api/v1/osquery/log + logger_tls_period: 10 + overrides: + # Note configs in overrides take precedence over base configs + platforms: + darwin: + disable_tables: chrome_extensions + docker_socket: /var/run/docker.sock + logger_tls_period: 60 + fim: + interval: 500 + groups: + - name: etc + paths: + - /etc/%% + - name: users + paths: + - /Users/%/Library/%% + - /Users/%/Documents/%% + linux: + schedule_timeout: 60 + docker_socket: /etc/run/docker.sock diff --git a/examples/config-many-files/fim.yml b/examples/config-many-files/fim.yml deleted file mode 100644 index 1d6bd32cc0..0000000000 --- a/examples/config-many-files/fim.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: k8s.kolide.com/v1alpha1 -kind: OsqueryFIM -spec: - fim: - interval: 500 - groups: - - name: etc - paths: - - /etc/%% - - name: users - paths: - - /Users/%/Library/%% - - /Users/%/Documents/%% diff --git a/examples/config-single-file.yml b/examples/config-single-file.yml index e3b722b24d..1320ce341c 100644 --- a/examples/config-single-file.yml +++ b/examples/config-single-file.yml @@ -3,11 +3,31 @@ apiVersion: k8s.kolide.com/v1alpha1 kind: OsqueryOptions spec: config: - - distributed_interval: 3 - - distributed_tls_max_attempts: 3 - - logger_plugin: tls - - logger_tls_endpoint: /api/v1/osquery/log - - logger_tls_period: 10 + distributed_interval: 3 + distributed_tls_max_attempts: 3 + logger_plugin: tls + logger_tls_endpoint: /api/v1/osquery/log + logger_tls_period: 10 + overrides: + # Note configs in overrides take precedence over base configs + platforms: + darwin: + disable_tables: chrome_extensions + docker_socket: /var/run/docker.sock + logger_tls_period: 60 + fim: + interval: 500 + groups: + - name: etc + paths: + - /etc/%% + - name: users + paths: + - /Users/%/Library/%% + - /Users/%/Documents/%% + linux: + schedule_timeout: 60 + docker_socket: /etc/run/docker.sock --- apiVersion: k8s.kolide.com/v1alpha1 kind: OsqueryDecorator @@ -28,20 +48,6 @@ kind: OsqueryDecorator type: load --- apiVersion: k8s.kolide.com/v1alpha1 -kind: OsqueryFIM -spec: - fim: - interval: 500 - groups: - - name: etc - paths: - - /etc/%% - - name: users - paths: - - /Users/%/Library/%% - - /Users/%/Documents/%% ---- -apiVersion: k8s.kolide.com/v1alpha1 kind: OsqueryLabel spec: name: all_hosts