Linux osquery Daemon Configuration


The following topic lists the osquery’s daemon configuration files for Linux.

{
  // Configure the daemon below: test file
  "options": {
    // Select the osquery config plugin.
    "config_plugin": "filesystem",

    // Select the osquery logging plugin.
    "logger_plugin": "filesystem",

    "utc": "true",
    "enable_file_events": "true",
    "disable_events": "false"
  },

  "yara":{
    "signatures": {
      "sig_group_1": [ "/opt/cisco/orbital/config/yara_sigs/web_shells.yar" ]
    },
  "file_paths": {
      "web_server_root_folder_default": [ "sig_group_1" ]
    }
  },

  // Define FIM monitoring paths and directories
  "file_paths": {
    "dir_etc": [
      "/etc/%%"
   ],
    "dir_tmp": [
      "/tmp/%%"
   ],
    "dir_lib_modules": [
      "/lib/modules/%%"
   ],
      "file_bashrc": [
      "/home/%/.bashrc"
   ],
    "file_bash_profile": [
      "/home/%/.bash_profile"
   ],
    "file_bash_history": [
     "/home/%/.bash_history"
   ],
    "web_server_root_folder_default": [
     "/var/www/html/%%"
   ],
    "file_accesses": [ "dir_etc", "file_bashrc", "file_bash_profile", "file_bash_history" ]
  }
}

Return to Orbital Yara Rules and System Configuration

Return to Table of Contents