```#!/bin/bash
#Download OSQuery and Install with...
# generalm
Mario Bardowell
10/17/2022, 5:43 PM Copy code
#!/bin/bash
#Download OSQuery and Install with Custom Configuration
echo "Making directory to run installer."
cd /var/tmp
mkdir OSQuery
cd OSQuery
OSqueryInstaller="<https://pkg.osquery.io/darwin/osquery-5.5.1.pkg>"
curl -L -O ${OSqueryInstaller}
echo "Downloading package."
sleep 6
echo "Installing package."
packageName="osquery-5.5.1.pkg"
/usr/sbin/installer -pkg /var/tmp/OSQuery/${packageName} -target /
touch /var/osquery/osquery.conf
echo '{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
},
"detect all unencrypted SSH keys on disk": {
// The exact query to run.
"query": "SELECT path FROM user_ssh_keys WHERE encrypted = 0;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"Fireall Status": {
// The exact query to run.
"query": "SELECT * from alf;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"osinfo": {
// The exact query to run.
"query": "SELECT * from os_version;",
// The interval in seconds to run this query, not an exact interval.
"interval": 86400
},
"logged_in_users": {
// The exact query to run.
"query": "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"OS Disk Encryption": {
// The exact query to run.
"query": "select * from disk_encryption where name = '/dev/disk3s1s1';",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"Etc_host": {
// The exact query to run.
"query": "select * from etc_hosts;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"Startup Items": {
// The exact query to run.
"query": "select * from startup_items;",
// The interval in seconds to run this query, not an exact interval.
"interval": 86400
}
},
"packs": {
"osquery-monitoring": "/private/var/osquery/packs/osquery-monitoring.conf",
"incident-response": "/private/var/osquery/packs/incident-response.conf",
"it-compliance": "/private/var/osquery/packs/it-compliance.conf",
"osx-attacks": "/private/var/osquery/packs/osx-attacks.conf",
"vuln-management": "/private/var/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/private/var/osquery/packs/hardware-monitoring.conf",
"ossec-rootkit": "/private/var/osquery/packs/ossec-rootkit.conf"
// "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
// "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
}
}' > /var/osquery/osquery.conf
echo "Launch Daemons"
sleep 6
cp /var/osquery/io.osquery.agent.plist /Library/LaunchDaemons
sleep 6
echo "Starting agent."
sleep 6
launchctl load /Library/LaunchDaemons/io.osquery.agent.plist
echo "Cleaning folders and exiting."
cd /var/tmp
rm -r OSQuery
exit 07 Views