Using the -newer flag of the find command it will return all files newer than our $LOG_DIR/timestamp, and because we touch that file after the script runs, the next time it runs it will show all files changed since it was last run. It has occurred to me that using osquery here is probably a bit overkill for this task, I think you could create a more rudimentary version of this script like this: find $WORKSPACE_DIR -type f -newer $LOG_DIR/timestamp > $LOG_FILE
OSQUERY FOR WINDOWS WINDOWS
WMI Class querying functionality: Refer to Querying Windows endpoints with WMI. If you set this up in a cron job running every 15 minutes, you'll have a nice log of what files where changed when. osquery is an operating system instrumentation, monitoring, and analytics. I tested this bash script on a Mac, but I think it would work just the same on linux. configpluginfilesystem -configpathC:\ProgramData\osquery\nf -enablemonitor -eventsexpir圓00 -loggerpluginfilesystem -loggerpathC:\ProgramData\osquery\log -databasepathC:\ProgramData\osquery\osquery.db. Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. Below is the flags file I typically use with the following config. ‘As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security.’ The initial release of osquery was supported for Linux and OS X, however the community was really excited for a Windows version, and Facebook had gone on to build it. Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. For those needing more customization of their deployment, the steps taken by the installation are explained in more detail, below. In this post I am going to explore the tool OSquery.
OSQUERY FOR WINDOWS INSTALL
usr/local/bin/osqueryi -csv -header=false "SELECT datetime(mtime,'unixepoch') AS file_last_modified_time, path FROM file WHERE path LIKE '$WORKSPACE_DIR/%%' AND type != 'directory' AND mtime > $AGO_TIMESTAMP ORDER BY mtime ASC " > $LOG_FILE While the configuration is a core component to what queries one is interested in for their enterprise, we typically perform most of the daemon configuration through the -flagsfile. Installing osquery on Windows We recommend installing on Windows using the Chocolatey package manager, or from the latest official binaries available on the Downloads page. The easiest way to install osquery and enroll Windows devices into your Fleet instance is to use our osquery installer. LOG_FILE="$LOG_DIR/$LOG_FOLDER_NAME/$LOG_FILE_NAME.txt" LOG_DIR=`echo ~/Documents/Logs/osquery_file_logs/`
Currently osquery will only build on Windows 10, the sole prerequisite. To do that, please see the official Building osquery for Windows guide. My use case here wasn't file integrity monitoring, for that you would want to use file events. osquery for Windows is only distributed via source code. Here's a bash script that uses osquery to log which files in a specific folder have been modified over a 15 minute period.
0 kommentar(er)
