https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi! I'm thinking of building and deploying a custo...
# kolide
k
Hi! I'm thinking of building and deploying a custom osquery package with a few tables removed e.g. 
process_envs
and 
mdfind
to a couple hundred macOS devices. It would be best if this package can be autoupdated, but I'm guessing it may not be so straightforward as the code base has diverted from the upstream. Is this something that can be done with Kolide 
launcher
, 
package-builder
and the 
--autoupdate
flag?
s
The auto update stuff will download launcher and osquery from our distribution points and replace them on local disk
While I can't promise much, i would generally expect it to work with a custom package.
However, it would over write any custom osquery builds.
k
My understanding is that I would be removing certain 
.table
files under the specs path before I build the binary from the source as explained here. If auto update replaces this binary with the one from kolide's distribution points, I guess I'll likely be looking for an alternative. Would you know any areas I could possibly look into for this? Would it be possible to tweak auto update to point to a custom distribution point hosting my custom build?
z
Would it be possible to tweak auto update to point to a custom distribution point hosting my custom build?
Yes you could definitely do this but it's a lot of work.
Would you know any areas I could possibly look into for this?
Maybe you could use 
--osquery_flag disable_tables=mdfind,process_envs
with Launcher and avoid having any custom package.
👍 1
s
There’s no tweaking. per se, launcher supports arbitrary update servers. But setting up 
notary
is a bit of a bear
I don’t know that I’ve seen other OSS osquery updaters. Though depending on your environment you can do any of the normal platform management tools (chef, puppet, jamf, etc….)
Open in Slack
PreviousNext
Powered by