Hi I m thinking of building and deploying a custom osquery p

Question

Hi I m thinking of building and deploying a custom osquery package with a few tables removed e g `process envs` and `mdfind` to a couple hundred macOS devices It would be best if this package can be autoupdated but I m guessing it may not be so straightforward as the code base has diverted from the upstream Is this something that can be done with Kolide `launcher` `package builder` and the ` autoupdate` flag

seph · Answer

The auto update stuff will download launcher and osquery from our distribution points and replace them on local disk

seph · Answer

While I can t promise much i would generally expect it to work with a custom package

seph · Answer

However it would over write any custom osquery builds

KK · Answer

My understanding is that I would be removing certain ` table` files under the path before I build the binary from the source as explained If auto update replaces this binary with the one from kolide s distribution points I guess I ll likely be looking for an alternative Would you know any areas I could possibly look into for this Would it be possible to tweak auto update to point to a custom distribution point hosting my custom build

zwass · Answer

gt Would it be possible to tweak auto update to point to a custom distribution point hosting my custom build Yes you could definitely do this but it s a lot of work gt Would you know any areas I could possibly look into for this Maybe you could use ` osquery flag disable tables=mdfind process envs` with Launcher and avoid having any custom package

seph · Answer

There s no tweaking per se launcher supports arbitrary update servers But setting up `notary` is a bit of a bear

seph · Answer

I don t know that I ve seen other OSS osquery updaters Though depending on your environment you can do any of the normal platform management tools chef puppet jamf etc