Linux osquery Daemon Configuration

{

// Configure the daemon below: test file

"options": {

// Select the osquery config plugin.

"config_plugin": "filesystem",

 

// Select the osquery logging plugin.

"logger_plugin": "filesystem",

 

"utc": "true",

"enable_file_events": "true",

"disable_events": "false"

},

"yara":{

"signatures": {

"sig_group_1": [ "/opt/cisco/orbital/config/yara_sigs/web_shells.yar" ]

},

"file_paths": {

"web_server_root_folder_default": [ "sig_group_1" ]

}

},

// Define FIM monitoring paths and directories

"file_paths": {

"dir_etc": [

"/etc/%%"

],

"dir_lib_modules": [

"/lib/modules/%%"

],

"file_bashrc": [

"/home/%/.bashrc"

],

"file_bash_profile": [

"/home/%/.bash_profile"

],

"file_bash_history": [

"/home/%/.bash_history"

],

"web_server_root_folder_default": [

"/var/www/html/%%"

],

"file_accesses": [ "dir_etc", "file_bashrc", "file_bash_profile", "file_bash_history" ]

}

}

Return to Orbital Yara Rules and System Configuration