Yeah it’s a real pleasure! I’d suggest Fleet (FleetDM).
I’m using it via elastic-agent today but running into issues with the agent itself, not osquery.
One important thing to note is that you cannot use one config for all OSes. There’s a few subtle differences for instance FIM between windows and Linux.
Also check out File Carving for something almost completely undocumented and extremely interesting.
WBEM/WMI: Windows lets you use SQL(-like) constructs for querying system information.
IBM i services (bigger list). i is already pretty RDBMS-focused; these provide a bunch of views and stored procedures to do administrative read and write queries. I suspect this grows in popularity because it might be easier than doing it via the traditional means (i.e. from other languages, for people not used to 5250 interface, etc.).
WMI is something I mention often when talking about administrating Windows boxes with Unix geeks. It is absolutely not perfect, but it made gathering fleet-wide data a breeze. It’s really neat to see that idea translated into the Linux world.
We used this in our test suite at an old job of mine. We were building a virtual appliance, and then we would fire up a copy of it and our tests would probe it in different ways to make sure the appliance was sane. It was a big win for test readability and durability whenever we could switch a test to using osquery instead of parsing shell command output - initially we just converted a couple tests but ifconfig changing its output format motivated us to convert loads more.
Anyone actually running this? Curious to hear experiences and get details of the setup at scale
Yeah it’s a real pleasure! I’d suggest Fleet (FleetDM).
I’m using it via elastic-agent today but running into issues with the agent itself, not osquery.
One important thing to note is that you cannot use one config for all OSes. There’s a few subtle differences for instance FIM between windows and Linux.
Also check out File Carving for something almost completely undocumented and extremely interesting.
Read about this on the orange site from one of yogthos’s comments. They also made a blog post and submitted it here. They may have some insights.
Two bits of prior art:
WMI is something I mention often when talking about administrating Windows boxes with Unix geeks. It is absolutely not perfect, but it made gathering fleet-wide data a breeze. It’s really neat to see that idea translated into the Linux world.
We used this in our test suite at an old job of mine. We were building a virtual appliance, and then we would fire up a copy of it and our tests would probe it in different ways to make sure the appliance was sane. It was a big win for test readability and durability whenever we could switch a test to using osquery instead of parsing shell command output - initially we just converted a couple tests but
ifconfigchanging its output format motivated us to convert loads more.Has anyone ever heard of something like this - SQL for the OS, but run against a sos report[1]?
I always seem to be using the awk/grep/etc… to explore things ad-hoc.
I did find jc[2] + sqlite-utils[3] to be interesting, but seemed a waste to not leverage all the table definitions from OSQuery.
[1] https://github.com/sosreport/sos [2] https://kellyjonbrazil.github.io/jc/ [3] https://sqlite-utils.datasette.io/en/stable/
Yep! Using a system built around the ‘doorman’ server to satisfy myriad security and compliance needs. It is quite unremarkable yet effective enough.