mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 08:58:41 +00:00
113 lines
3.4 KiB
YAML
113 lines
3.4 KiB
YAML
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryOptions
|
|
spec:
|
|
config:
|
|
- distributed_interval: 3
|
|
- distributed_tls_max_attempts: 3
|
|
- logger_plugin: tls
|
|
- logger_tls_endpoint: /api/v1/osquery/log
|
|
- logger_tls_period: 10
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryDecorators
|
|
spec:
|
|
decorators:
|
|
- name: hostname
|
|
query: select hostname from system_info;
|
|
type: interval
|
|
interval: 10
|
|
- name: uuid
|
|
query: select uuid from osquery_info;
|
|
type: load
|
|
- name: instance_id
|
|
query: select instance_id from osquery_info;
|
|
type: load
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryFIM
|
|
spec:
|
|
fim:
|
|
interval: 500
|
|
groups:
|
|
- name: etc
|
|
paths:
|
|
- /etc/%%
|
|
- name: users
|
|
paths:
|
|
- /Users/%/Library/%%
|
|
- /Users/%/Documents/%%
|
|
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryLabels
|
|
spec:
|
|
labels:
|
|
- name: all_hosts
|
|
query: select 1;
|
|
- name: macs
|
|
query: select 1 from os_version where platform = "darwin";
|
|
- name: ubuntu
|
|
query: select 1 from os_version where platform = "ubuntu";
|
|
- name: centos
|
|
query: select 1 from os_version where platform = "centos";
|
|
- name: windows
|
|
query: select 1 from os_version where platform = "windows";
|
|
- name: pending_updates
|
|
query: SELECT value from plist where path = "/Library/Preferences/ManagedInstalls.plist" and key = "PendingUpdateCount" and value > "0";
|
|
platforms:
|
|
- darwin
|
|
- name: slack_not_running
|
|
query: >
|
|
SELECT * from system_info
|
|
WHERE NOT EXISTS (
|
|
SELECT *
|
|
FROM processes
|
|
WHERE name LIKE "%Slack%"
|
|
);
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryPack
|
|
metadata:
|
|
name: osquery_monitoring
|
|
spec:
|
|
targets:
|
|
labels:
|
|
- all_hosts
|
|
queries:
|
|
- name: osquery_schedule
|
|
interval: 7200
|
|
removed: false
|
|
description: Report performance publisher health and track event counters.
|
|
- name: osquery_events
|
|
interval: 86400
|
|
removed: false
|
|
description: Report event publisher health and track event counters.
|
|
- name: oquery_info
|
|
interval: 600
|
|
removed: false
|
|
description: A heartbeat counter that reports general performance (CPU, memory) and version.
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryQuery
|
|
metadata:
|
|
- name: processes
|
|
spec:
|
|
query: select * from processes;
|
|
---
|
|
apiVersion: k8s.kolide.com/v1alpha1
|
|
kind: OsqueryQueries
|
|
spec:
|
|
queries:
|
|
- name: launcher_version
|
|
query: select version from kolide_launcher_info;
|
|
- name: osquery_version
|
|
query: select version from osquery_info;
|
|
- name: osquery_schedule
|
|
query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
|
|
description: Report performance publisher health and track event counters.
|
|
- name: osquery_events
|
|
query: select name, publisher, type, subscriptions, events, active from osquery_events;
|
|
description: Report event publisher health and track event counters.
|
|
- name: osquery_info
|
|
query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
|
|
description: A heartbeat counter that reports general performance (CPU, memory) and version.
|