Local configuration for osquery on Windows

I pretty commonly get asked by folks for a generic Windows configuration for osquery, as the example configuration pack in the osquery repository favors posix systems a bit (Something we're hoping to make better).

While the configuration is a core component to what queries one is interested in for their enterprise, we typically perform most of the daemon configuration through the --flagsfile. Below is the flags file I typically use with the following config.

--config_plugin=filesystem
--config_path=C:\ProgramData\osquery\osquery.conf
--enable_monitor
--events_expiry=300
--logger_plugin=filesystem
--logger_path=C:\ProgramData\osquery\log
--database_path=C:\ProgramData\osquery\osquery.db
--pidfile=C:\ProgramData\osquery\osquery.pid
--disable_watchdog=false
--disable_events=false
--windows_event_channels=System,Application,Setup,Security
--verbose

And here's the corresponding osquery.conf

{
  "schedule": {
    "heartbeat": {
      "query": "select si.hostname, si.uuid, si.computer_name, up.total_seconds as uptime from system_info si, uptime up;",
      "interval": 900,
      "snapshot": "true"
    },
    "windows_events": {
      "query": "select * from windows_events;",
      "interval": 180
    },
    "interace_addr_mac": {
      "query": "select ia.address, ia.mask, id.mac from interface_addresses ia, interface_details id where ia.interface = id.interface;",
      "interval": 300,
      "snapshot": "true"
    },
    "logged_in_users": {
      "query": "select user, time, pid from logged_in_users where type='active';",
      "interval": 300,
      "snapshot": "true"
    },
    "listening_ports": {
      "query": "select * from listening_ports;",
      "interval": 300,
      "snapshot": "true"
    },
    "processes": {
      "query": "select * from processes;",
      "interval": 300,
      "snapshot": "true"
    },
    "scheduled_tasks": {
      "query": "select * from scheduled_tasks;",
      "interval": 3600
    },
    "startup_items": {
      "query": "select * from startup_items;",
      "interval": 3600,
      "snapshot": "true"
    },
    "drivers": {
      "query": "select * from drivers;",
      "interval": 86400,
      "snapshot": "false"
    },
    "services": {
      "query": "select * from services;",
      "interval": 86400,
      "snapshot": "false"
    },
    "etc_hosts": {
      "query": "select * from etc_hosts;",
      "interval": 86400,
      "snapshot": "false"
    },
    "windows_patches": {
      "query": "select * from patches;",
      "interval": 86400,
      "snapshot": "false"
    },
    "system_users": {
      "query": "select * from users;",
      "interval": 86400,
      "snapshot": "false"
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },
  // Fill this out with custom packs, or the example packs from the repo
  "packs": { }
}

Hello world.

First post!

I need some content to edit colors and such. More to come! For now here's some generic content, along with some Powershell code that builds Apache Thrift libraries statically for osquery :D

#  Copyright (c) 2014-present, Facebook, Inc.
#  All rights reserved.
#
#  This source code is licensed under the BSD-style license found in the
#  LICENSE file in the root directory of this source tree. An additional grant
#  of patent rights can be found in the PATENTS file in the same directory.

# Update-able metadata
#
# $version - The version of the software package to build
# $chocoVersion - The chocolatey package version, used for incremental bumps
#                 without changing the version of the software package
$version = '0.10.0'
$chocoVersion = '0.10.0-r4'
$packageName = 'thrift-dev'
$projectSource = 'https://github.com/apache/thrift'
$packageSourceUrl = 'https://github.com/apache/thrift'
$authors = 'thrift-dev'
$owners = 'thrift-dev'
$copyright = 'https://github.com/apache/thrift/blob/master/LICENSE'
$license = 'https://github.com/apache/thrift/blob/master/LICENSE'
$url = "https://github.com/apache/thrift/archive/$version.zip"
$parentPath = $(Split-Path -Parent $MyInvocation.MyCommand.Definition)
$patchfiles = @(
  Join-Path $parentPath "patches/thrift-dev.patch"
)

# Invoke our utilities file
. $(Join-Path $parentPath "osquery_utils.ps1")

# Invoke the MSVC developer tools/env
Invoke-BatchFile "$env:VS140COMNTOOLS\..\..\vc\vcvarsall.bat" amd64

# Time our execution
$sw = [System.Diagnostics.StopWatch]::startnew()

# Keep the location of build script, to bring with in the chocolatey package
$buildScript = $MyInvocation.MyCommand.Definition

# Create the choco build dir if needed
$buildPath = Get-OsqueryBuildPath
if ($buildPath -eq '') {
  Write-Host '[-] Failed to find source root' -foregroundcolor red
  exit
}
$chocoBuildPath = "$buildPath\chocolatey\$packageName"
if (-not (Test-Path "$chocoBuildPath")) {
  New-Item -Force -ItemType Directory -Path "$chocoBuildPath"
}
Set-Location $chocoBuildPath

# Retreive the source
if (-not (Test-Path "$packageName-$version.zip")) {
  Invoke-WebRequest $url -OutFile "$packageName-$version.zip"
}

# Extract the source
$sourceDir = Join-Path $(Get-Location) "thrift-$version"
if (-not (Test-Path $sourceDir)) {
  $7z = (Get-Command '7z').Source
  $7zargs = "x $packageName-$version.zip"
  Start-OsqueryProcess $7z $7zargs
}
Set-Location $sourceDir

# Build the libraries
$buildDir = New-Item -Force -ItemType Directory -Path 'osquery-win-build'
Set-Location $buildDir

# Patches are applied in this section before build
# Windows TPipe implementations are _very_ noisy, so we squelch the output
Add-Content `
  -NoNewline `
  -Path "$buildDir\..\lib\cpp\CMakeLists.txt" `
  -Value "`nadd_definitions(-DTHRIFT_SQUELCH_CONSOLE_OUTPUT=1)"

# Generate the solution files
$cmake = (Get-Command 'cmake').Source
$cmakeArgs = @(
  '-G "Visual Studio 14 2015 Win64"',
  '-DBUILD_COMPILER=ON',
  '-DWITH_SHARED_LIB=OFF',
  '-DBUILD_TESTING=OFF',
  '-DBUILD_TUTORIALS=OFF',
  '-DWITH_ZLIB=ON',
  '-DZLIB_INCLUDE_DIR=C:/ProgramData/chocolatey/lib/zlib/local/include',
  '-DZLIB_LIBRARY=C:/ProgramData/chocolatey/lib/zlib/local/lib/zlibstatic.lib',
  '-DWITH_OPENSSL=ON',
  '-DOPENSSL_INCLUDE_DIR=C:/ProgramData/chocolatey/lib/openssl/local/include',
  '-DOPENSSL_ROOT_DIR=C:/ProgramData/chocolatey/lib/openssl/local',
  '-DBOOST_LIBRARYDIR=C:/ProgramData/chocolatey/lib/boost-msvc14/local/lib',
  '-DBOOST_ROOT=C:/ProgramData/chocolatey/lib/boost-msvc14/local',
  '-DWITH_STDTHREADS=ON',
  '-DWITH_MT=ON',
  '../'
)
Start-OsqueryProcess $cmake $cmakeArgs

# Build the libraries
$msbuild = (Get-Command 'msbuild').Source
$sln = 'Apache Thrift.sln'
$targets = @(
  'thrift_static',
  'thriftz_static'
)
foreach ($target in $targets) {
  $msbuildArgs = @(
    "`"$sln`"",
    "/p:Configuration=Release",
    "/t:$target",
    '/m',
    '/v:m'
  )
  Start-OsqueryProcess $msbuild $msbuildArgs

  # Bundle debug libs for troubleshooting
  $msbuildArgs = @(
    "`"$sln`"",
    "/p:Configuration=Debug",
    "/t:$target",
    '/m',
    '/v:m'
  )
  Start-OsqueryProcess $msbuild $msbuildArgs
}

# Lastly build the Thrift Compiler
$msbuildArgs = @(
  "`"$sln`"",
  '/p:Configuration=Release',
  '/t:thrift-compiler',
  '/m',
  '/v:m'
)
Start-OsqueryProcess $msbuild $msbuildArgs

# If the build path exists, purge it for a clean packaging
$chocoDir = Join-Path $(Get-Location) 'osquery-choco'
if (Test-Path $chocoDir) {
  Remove-Item -Force -Recurse $chocoDir
}

# Construct the Chocolatey Package
New-Item -ItemType Directory -Path $chocoDir
Set-Location $chocoDir
$includeDir = New-Item -ItemType Directory -Path 'local\include'
$libDir = New-Item -ItemType Directory -Path 'local\lib'
$binDir = New-Item -ItemType Directory -Path 'local\bin'
$srcDir = New-Item -ItemType Directory -Path 'local\src'

Write-NuSpec `
  $packageName `
  $chocoVersion `
  $authors `
  $owners `
  $projectSource `
  $packageSourceUrl `
  $copyright `
  $license

# Rename the Debug libraries to end with a `_dbg.lib`
foreach ($lib in Get-ChildItem "$buildDir\lib\Debug\") {
  $toks = $lib.Name.split('.')
  $newLibName = $toks[0..$($toks.count - 2)] -join '.'
  $suffix = $toks[$($toks.count - 1)]
  Copy-Item `
    -Path $lib.Fullname `
    -Destination "$libDir\$newLibName`_dbg.$suffix"
}
Copy-Item "$buildDir\lib\Release\*" $libDir
Copy-Item "$buildDir\bin\Release\*" $binDir
Copy-Item -Recurse "$buildDir\..\lib\cpp\src\thrift" $includeDir
Copy-Item $buildScript $srcDir
choco pack

Write-Host "[*] Build took $($sw.ElapsedMilliseconds) ms" `
  -ForegroundColor DarkGreen
if (Test-Path "$packageName.$chocoVersion.nupkg") {
  Write-Host `
    "[+] Finished building $packageName v$chocoVersion." `
    -ForegroundColor Green
}
else {
  Write-Host `
    "[-] Failed to build $packageName v$chocoVersion." `
    -ForegroundColor Red
}