Linux osquery Daemon Configuration
The following topic lists the osquery’s daemon configuration files for Linux.
{
// Configure the daemon below: test file
"options": {
// Select the osquery config plugin.
"config_plugin": "filesystem",
// Select the osquery logging plugin.
"logger_plugin": "filesystem",
"utc": "true",
"enable_file_events": "true",
"disable_events": "false"
},
"yara":{
"signatures": {
"sig_group_1": [ "/opt/cisco/orbital/config/yara_sigs/web_shells.yar" ]
},
"file_paths": {
"web_server_root_folder_default": [ "sig_group_1" ]
}
},
// Define FIM monitoring paths and directories
"file_paths": {
"dir_etc": [
"/etc/%%"
],
"dir_lib_modules": [
"/lib/modules/%%"
],
"file_bashrc": [
"/home/%/.bashrc"
],
"file_bash_profile": [
"/home/%/.bash_profile"
],
"file_bash_history": [
"/home/%/.bash_history"
],
"web_server_root_folder_default": [
"/var/www/html/%%"
],
"file_accesses": [ "dir_etc", "file_bashrc", "file_bash_profile", "file_bash_history" ]
}
}