Title
#general
Garret

Garret

07/16/2020, 5:10 PM
Is there any kind of tool that provides basic sanity checks for an osquery configuration? I'm specifically thinking of something that consumes a configuration + scheduled queries and checks that all evented tables that are enabled have a corresponding scheduled query that drains them, but I'm sure there are other configuration level issues that could be detected.
zwass

zwass

07/16/2020, 5:23 PM
No, but sounds very handy.
packetzero

packetzero

07/16/2020, 5:42 PM
I did create some informal scripts to do that a year or two ago, but I can''t find them. The only thing I have left is an ugly ruby script that generates a report on queries used. https://github.com/packetzero/osq_config_report
Garret

Garret

07/16/2020, 6:00 PM
Thanks! I guess I'm gonna have to dig into this in my copious free time 😐
zwass

zwass

07/16/2020, 6:04 PM
Would be really interesting to build it into osquery itself. Then for example a client could receive a TLS config and report on any potential issues.