Documentation
¶
Index ¶
- func BuildPackQueries(pqs []PackQuery) string
- func PackQueryToString(p *PackQuery) string
- type Carve
- type CarveData
- type DistributedQuery
- type DistributedQueryResult
- type FileCarve
- type OsqueryClient
- type OsqueryConfig
- type OsqueryDecorators
- type OsqueryNamedConfig
- type OsqueryOptions
- type OsqueryQuery
- type OsquerySchedule
- type OsqueryUploadConfig
- type Pack
- type PackQuery
- type QueryPack
- type ServerConfig
- type Time
- type User
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildPackQueries ¶
func PackQueryToString ¶
Types ¶
type Carve ¶
type Carve struct {
// {"block_count":"1","block_size":"300000","carve_size":"12800","carve_id":"3bed2f21-e306-4d2b-962c-3b207946c298","request_id":"","node_key":"hx9gvmkir0xcta0opsb5"}
BlockCount string `json:"block_count"`
BlockSize string `json:"block_size"`
CarveSize string `json:"carve_size"`
CarveID string `json:"carve_id"`
RequestID string `json:"request_id"`
NodeKey string `json:"node_key"`
SessionID string `json:"session_id"`
}
type CarveData ¶
type CarveData struct {
// {"block_id":"0","session_id":"306959833118746","request_id":"14998","data":"Q2IgUmVZJHGaVuFAKdx\/uNio7D2lkghvy6P42HvcpRFagBTKkBsg8i4wii8.......AAiGArAEHcDDL+4pydnAq7FxuL3DmGTBFcscAXhPGhx"}
//{"block_id":"2","session_id":"fWWSLRmqFbMxotP","request_id":"","data":"G92GKjia814OBIl7uQaKfz1Qk70FoOOuk7DBKQhbS86QC2yypy26fa2u3khh1+V0zftjTgTtH13z\/khv8TJ0eKOju5hYGPMSBOF4KCyIYA4dd520Z4u9lwDjX4hvpuQ+hVkSS1wBKtu+Rdf8r+dHzAHgB3MrwJdYclc3wZSv4xmXWi63rhRuOZJyMpF\/IfB8\/ae7zwBXrW9DFU93+1ud795W+S5s2vStHDPMr8eqBf+A6VvplgN\/\/+1HC0IkvDSgiqdz6Q\/b6j\/eXQBMfApKzHQpTPKCpT8PX2XX7RxeWJYjMcPD4YVlVHt\/5PIDJYkn84K1oORM2kqn1b+9uwBYeTrGFt26kdfoF+AFYMwzVPuuZfncOCdCho\/lc2Pi+FqMecYphTn1qUh0AaOLUJpb\/1FNAJbcNgkZfNw1zisPnwG\/CKjt6O5l\/GDR5pwIGTnccsEWdPcyhNruni2nvjVJPmTpfZwvrj0sfbsmAKZlNtjjcyEOkkOdwElruffbrFrwTG60jDRWLXiGSvl6d0Qd5HukLO1H8Aof7\/+3\/wPrz0Tatv6EjFlD4NZ9rTfSJ1flQ8QookAXRm90+kBOS4GOQNg2bGFm+pYTgIVrAzzveISfGA0yRnq4g61SDa\/ntnO69\/udsYabzummEl6PtVW3K8hhFjAaRAE873gWrg0gFYDDoqMRamZuZl8pnZk3rqxnzXlDDnNqeKw57yfocH1\/9tCsIUh9GGZyWHQ0pAIg3no\/BB\/C5mD5s9Yx3+qQ0Ixo8oOGRGxuwuoQqXLQBZI4AoIPOZ6nAuD92XRkNch8+u\/35lEQVR+h5I1Y4oOGxfa+p4jCR5DKPXvWQmA0iGpA8KH\/Cf0zQOuxKH+AYgsZQChnq5bcwU3nVLMnIGPcuSgk5o7+KiVZwxrnS6FLMwAkn19eRKsZ2VMCSAHKg1i\/QczGXGjIA5KNxNHrKM\/1QeYQgJrBshtKEm3bkPqD+SRqTvLlCvEoq8\/7fQ4E5IPV5\/0ey6P9xSWyholA6un0lNskYs5ERPXI7K1\/FlBOK43KT7h14FCBsMS9T7o+V2S+JTQGCI8gnD1B4nVPxfqttTCpDKEU6HAbwryS7Y0bAEK8gq5uQ2WtB6ShcH4rXvdUiZJTEKrgtggZ0yF9kPJXBMWGKaGSGaz\/R6R6Beln3+8IELKIklMkQTAJJWUu9mkpwNrXuOnsMVdvb9hYfd6fsOb1XJRAt\/0W+N5hkti2uu1IxjYAIVwFTxP94dBa\/1MISxj\/IZ+jd+22oDGtEiVa8hn9EqIyeMWxf+Q7VMTFzZg+1xd5wFctEsyHicPsA3+EdH7+Ue\/Bd\/AzWBR6uzEq24DbNHZFh2D1hyRSfhRItgZZSUAibcKrEpsGjTrNANaUwatmG1EkalXZpPyoBK\/ZrUFZ2wEEIEIkY9fla7iwxCBycBlOo5q9Ztk48WzjyBZuFpYQ9TolMGtFxAI2wOwnRP1ghsADG2Q\/ANNTSN0rMfolZ5PP0m05mXVsXMCTg85oddBByBLEhWw18PQIXoKJX5Kg\/i9ekP1KkMas+c1t+298kKLa3IbU2R7Dp7KmAhDqVYm2u3JxUjQmSWNSOSL7mzcIZDgN2ZSfG36kd0k80YPVjFb9qH3CWvB8kP77GiQBQcawgpJ6n3OHy1oHUC7HkUePJAy3o43JZxawIMSxXPXQ5OxvnjPa1x2OFcfmEobngn8sUbxNos1WbJLpKFNLIM4xwZg\/J6wcleGdGwMi+h9Ycxwmyr7fXeh9BW22SuK2dxBRT2KYyZASXNSqCg7DyuOyvXEDwNrjUMFh6KzjMBI+i6iHuO0dif3PHdD0dvYHEgLQ7kjY9085tPQAK\/BKc9xRcA75hKQEgs0Ez+6UTFY9aP0b55+WNZIsJFacTvu69+dAQD5oX\/d+hDzdZWDJ4yTWB8ObtJa6JSuuLSOqr+fjnGjdMuD5x+Bx2v6\/cJDARKfhFWegNfnkYrCAfJ0V15aTuADvNeKc8gDbOEnvysVctb6QPQEZw8VhXozVSZROxhAS4hhU7+vQfwCg38TGLlwpU2LSo0kNfvFMypVPZktADphU+CR+6cxkB5S9N5BUYAsh4au\/hlQAor7fg\/cqwiPzNSnNXiFkQBAszfbmOUCqqxAyyCfRtHVJtQlfxR71e0gFYJv5LVZtIq80Nmkadq94Dpev+0wOFGSDy9d9hqB4jlN88wjDJ41H3MQ2\/7eQCsCdi0Li+GVsRObLACQOoiGgChQL1+2ZyeqgwKU\/bKNYuA5UwSXhyEHplgpsFeL4Ze5cFEK9E4CobsLI7txSmllc6nUp5+K3LMmHiFFE0LwYKefWai7lAOWDFd2Ivk3pWzUBiKvPgXg5F8Ig0QVC1zktLddx7fqTc6NlpHHt+pNpbv0K1rpnzDP\/ohH\/RRw\/l\/5bE4BbF23DVJ\/rj9nPBTKpeSMmUWYFn1879o+KL7lvGmVWIMUkogrZe14lkDLxwYif49ZF2\/rf3r2VfQwpKvkcUfbTAHEVvOBkim03sPyxsesytvwxj4mFG\/AKJ9eKbuSANAuLVBUoP1b\/0e4CUDEb0XZTPjHrKYSTVBtDoXAJ71RX5EjM8PBOdQVB8a+wUeL1k2O\/CgHabKK7vFseht0F4PsX9KArj2JkUoApR29hHbn10m9aypV3fjM\/QoaIpXf9E17TUkyV3FLvQZKBTYGVoCuPcttf7xaIs\/f0KqO70fKLKH+KKxaVo9RGVfAF+Ed8nY6ftFHY+RVWLGrsQJLPP1akKfw2qng1puKeIdeCUkmxDSPfRUaDKBjRueB5ZPQkNq2ymWOueyGdPhD3gV+4mmrLGr5wX+M6j7TfdSTN1dX4wdXoiqNdSHKtuSA9d9ZiwyfpXPD8ni0GVknjnh+6XHayAWJGhItjiyuggktpKv4HHQ98Km+q9sLS+z5J0HYXwvsb4qqjOe9yK5YkBlMAvT8cqMnAGrbUD2OiZ1H+7HxyB+2JpOgBBlTwCSg9wJIfX49WXaw+a2eupLU\/PAFl2hHqq4hGKxpFmn73WYh\/uq8mA6Nj\/eWo0mp0X77K4G5InNqDovtt9Aaiync54hfrWb48W9\/q5cslm086B19dg\/TPACAs12hsBAiBczuvttP52QGLR+6b0sV3T0WWHsTzZzkDRqM8WFLqXflpJfA+jH4IQSdh+EwmhSOD4GS07cD3G7twpF+AWL+IMmfvq3Dke1O75N7LUC1rXJ3cBljT6pGWjpVBesJVRkcbEOIuwuhxbjn\/zRG932X3TyfwT8WaBSj\/DIQsYQyYBi0dK4NEia600zVvCKVjYWwUj05LzAjlkk6iQIevYdkI+smhFY\/GzYBh75E0H\/4RjJoDnFYrHp148+Rt3HkvpMWjg77z36u45v6pH5Pl4xNhcE6Xf8LyK4x5AyF\/hzXvEFV3IsXu5eONLeEXJiDkVKz5AEq68vGWyXjKuVGZhPGNXDXcJiF30oso71g0vPLx7oqCpY\/\/CGn\/kqiXxtEFBkCqrApBfy5eKZPpkGQ7mfg8CFmmlhlLYU0Jo124mkoitk1Yc1mzdvfrNyTStb8ZYnUHnXMu2V8CrkEMZ2ER5nqsfhu\/2EA7ggGQMh4cnSZyxphqD1R6nNNJzeGlBLQkLxeiLpVrU+lx34mr7hp7ClajwlpXc8nEb0Pl+sFkXxvcfH7T6S8Rl\/\/FrbMNUBJ10EijYOoYZ2LQsXM+2e0VJ0sGde0bRasfDJKqK8IDXfkXOj\/9y8F8a\/AL+rvlVehdj6MKSeeMFSEYACL9UfcaK3weEMmOSBUg7tmIfqtrsN88sMde8uSJqB3rkU1TidLt9pjuuYMAyUD0S2DK7xBNPZfvzX5hsN8+MJV+1ZwXibuXg3TS1sj6wKECax0vEBB3Lz8Q5sOQhq8VdKxfhdd8BbqvcezehyQsCN8V2Y56VrNq3uLBKH71GMKmXlhE9WvY6Cn85hoh48gYSZ8HJbDmKbT42oEyH4bqoXjzhX+isn0pxv5\/\/NYksntcCLJDut9v"}
SessionBlockID string `json:"session_block_id"`
BlockID string `json:"block_id"`
SessionID string `json:"session_id"`
RequestID string `json:"request_id"`
Data string `json:"data"`
TimeToLive int64 `json:"time_to_live"`
}
type DistributedQuery ¶
type DistributedQuery struct {
NodeKey string `json:"node_key"`
Queries []string `json:"queries"`
NodeInvalid bool `json:"node_invalid"`
}
func (DistributedQuery) ToJSON ¶
func (dq DistributedQuery) ToJSON() string
ToJSON returns a formatted version of the DistributedQuery
type DistributedQueryResult ¶
type OsqueryClient ¶
type OsqueryClient struct {
HostIdentifier string `json:"host_identifier"`
NodeKey string `json:"node_key"`
NodeInvalid bool `json:"node_invalid"`
HostName string `json:"host_name"`
HostDetails map[string]map[string]string `json:"host_details"`
PendingRegistrationApproval bool `json:"pending_registration_approval"`
Tags []string `json:"tags,omitempty"`
ConfigurationGroup string `json:"configuration_group,omitempty"`
ConfigName string `json:"config_name"`
LastUpdated string `json:"last_updated"`
}
func (*OsqueryClient) SetTimestamp ¶
func (os *OsqueryClient) SetTimestamp()
SetTimestamp sets the current timestamp with the proper format
type OsqueryConfig ¶
type OsqueryConfig struct {
//Node_invalid string
NodeInvalid bool
Options OsqueryOptions `json:"options"`
Decorators OsqueryDecorators `json:"decorators,omitemtpy"`
Schedule OsquerySchedule `json:"schedule,omitempty"`
//Packs OsqueryPacks `json:"packs"`
Packs map[string]map[string]map[string]map[string]string `json:"packs"`
}
type OsqueryDecorators ¶
type OsqueryNamedConfig ¶
type OsqueryNamedConfig struct {
ConfigName string `json:"config_name"`
OsqueryConfig OsqueryConfig `json:"osquery_config"`
OsType string `json:"os_type"`
PackList []string `json:"pack_list"`
}
type OsqueryOptions ¶
type OsqueryOptions struct {
//Audit
AuditAllowConfig bool `json:"audit_allow_config"`
AuditAllowSockets bool `json:"audit_allow_sockets"`
AuditPersist bool `json:"audit_persist"`
//aws options
AwsAccessKeyID string `json:"aws_access_key_id,omitempty"`
AwsFirehosePeriod int `json:"aws_firehose_period,omitempty"`
AwsFirehoseStream string `json:"aws_firehose_stream"`
AwsKinesisPeriod int `json:"aws_kinesis_period,omitempty"`
AwsKinesisRandomPartitionKey bool `json:"aws_kinesis_random_partition_key,omitempty"`
AwsKinesisStream string `json:"aws_kinesis_stream,omitempty"`
AwsProfileName string `json:"aws_profile_name,omitempty"`
AwsRegion string `json:"aws_region,omitempty"`
AwsSecretAccessKey string `json:"aws_secret_access_key,omitempty"`
AwsSTSARNRole string `json:"aws_sts_arn_role,omitempty"`
AwsSTSRegion string `json:"aws_sts_region,omitempty"`
AwsSTSSessionName string `json:"aws_sts_session_name,omitempty"`
AwsSTSTimeout string `json:"aws_sts_timeout,omitempty"`
//Carver settings
CarverBlockSize int `json:"carver_block_size,omitempty"`
CarverContinueEndpoint string `json:"carver_continue_endpoint,omitempty"`
CarverStartEndpoint string `json:"carver_start_endpoint,omitempty"`
CarverDisableFunction bool `json:"carver_disable_function"`
//config_settings
ConfigRefresh int `json:"config_refresh"`
CSV bool `json:"csv,omitempty"`
//Disables
DisableAudit bool `json:"disable_audit"`
DisableCaching bool `json:"disable_caching"`
DisableCarver bool `json:"disable_carver"`
DisableDatabase bool `json:"disable_database"`
DisableDecorators bool `json:"disable_decorators"`
DisableDistributed bool `json:"disable_distributed"`
DisableEnrollment bool `json:"disable_enrollment"`
DisableEvents bool `json:"disable_events"`
DisableExtensions bool `json:"disable_extensions"`
DisableForensic bool `json:"disable_forensic"`
DisableKernel bool `json:"disable_kernel"`
DisableLogging bool `json:"disable_logging"`
DisableMemory bool `json:"disable_memory"`
DisableReenrollment bool `json:"disable_reenrollment"`
DisableTables bool `json:"disable_tables"`
DisableWatchdog bool `json:"disable_watchdog"`
//Distributed
DistributedInterval int `json:"distributed_interval,omitempty"`
DistributedPlugin string `json:"distributed_plugin,omitempty"`
DistributedTLSMaxAttempts int `json:"distributed_tls_max_attempts,omitempty"`
DistributedTLSReadEndpoint string `json:"distributed_tls_read_endpoint,omitempty"`
DistributedTLSWriteEndpoint string `json:"distributed_tls_write_endpoint,omitempty"`
EnableForeign bool `json:"enable_foreign"`
EnableMonitor bool `json:"enable_monitor"`
EnableSyslog bool `json:"enable_syslog"`
//Events
EventsExpiry int `json:"events_expiry"`
EventsMax int `json:"events_max"`
EventsOptimize bool `json:"events_optimize"`
//Extensions
ExtensionsAutoload bool `json:"extenstions_autoload,omitempty"`
ExtensionsInterval int `json:"extensions_interval,omitempty"`
ExtensionsRequire string `json:"extensions_require,omitempty"`
ExtensionsTimeout int `json:"extensions_timeout,omitempty"`
Force bool `json:"force,omitempty"`
HardwareDisabledTypes string `json:"hardware_disabled_types,omitempty"`
Header bool `json:"header,omitempty"`
HostIdentifier string `json:"host_identifier"`
//output
JSON bool `json:"json,omitempty"`
Line bool `json:"line,omitempty"`
List bool `json:"list,omitempty"`
//Logger
LoggerEventType bool `json:"logger_event_type,omitempty"`
LoggerMinStatus int `json:"logger_min_status,omitempty"`
LoggerMode int `json:"logger_mode,omitempty"`
LoggerPath string `json:"logger_path,omitempty"`
LoggerPlugin string `json:"logger_plugin"`
LoggerSecondaryStatusOnly bool `json:"logger_secondary_status_only,omitempty"`
LoggerSnapshotEventType bool `json:"logger_snapshot_event_type,omitempty"`
LoggerStatusSync bool `json:"logger_status_sync,omitempty"`
LoggerSyslogFacility int `json:"logger_syslog_facility,omitempty"`
LoggerSyslogPrependCee bool `json:"logger_syslog_prepend_cee,omitempty"`
LoggerTLSCompress bool `json:"logger_tls_compress,omitempty"`
//Endpoints provided by flags
LoggerTLSMax int `json:"logger_tls_max,omitempty"`
LoggerTLSPeriod int `json:"logger_tls_period,omitempty"`
Logtostderr bool `json:"logtostderr,omitempty"`
//Schedule
ScheduleDefaultInterval int `json:"schedule_default_interval,omitempty"`
ScheduleSplayPercent int `json:"schedule_splay_percent,omitempty"`
//Syslog
SyslogEventsExpiry int `json:"syslog_events_expiry,omitempty"`
SyslogEventsMax int `json:"syslog_events_max,omitempty"`
SyslogPipePath string `json:"syslog_pipe_path,omitempty"`
SyslogRateLimit int `json:"syslog_rate_limit,omitempty"`
//TLS settings should be specified in flags file, since there is no guarantee of tls communcation without it
UTC bool `json:"utc,omitempty"`
Verbose bool `json:"verbose"`
//Watchdog
WatchdogLevel int `json:"watchdog_level,omitempty"`
WatchdogMemoryLimit int `json:"watchdog_memory_limit,omitempty"`
WatchdogUtilizationLimit int `json:"watchdog_utilization_limit,omitempty"`
}
func NewOsqueryOptions ¶
func NewOsqueryOptions() OsqueryOptions
NewOsqueryOptions returns some default options for osquery
type OsqueryQuery ¶
type OsqueryQuery struct {
Query string `json:"query"`
}
type OsquerySchedule ¶
type OsquerySchedule struct {
Time Time `json:"time"`
}
type OsqueryUploadConfig ¶
type OsqueryUploadConfig struct {
//Node_invalid string
NodeInvalid bool
Options OsqueryOptions `json:"options"`
Decorators OsqueryDecorators `json:"decorators,omitemtpy"`
Schedule OsquerySchedule `json:"schedule,omitempty"`
Packs []string `json:"packs"`
}
type Pack ¶
type PackQuery ¶
type ServerConfig ¶
type ServerConfig struct {
FirehoseAWSAccessKeyID string `json:"firehose_aws_access_key_id"`
FirehoseAWSSecretAccessKey string `json:"firehose_aws_secret_access_key"`
FirehoseStreamName string `json:"firehose_stream_name"`
DistributedQueryLogger []string `json:"distributed_query_logger"`
DistributedQueryLoggerS3BucketName string `json:"distributed_query_logger_s3_bucket_name"`
DistributedQueryLoggerFirehoseStreamName string `json:"distributed_query_logger_firehose_stream_name"`
DistributedQueryLoggerFilesytemPath string `json:"distributed_query_logger_filesytem_path"`
AutoApproveNodes string `json:"auto_approve_nodes"`
}
func GetServerConfig ¶
func GetServerConfig(fn string) (*ServerConfig, error)
Source Files
Click to show internal directories.
Click to hide internal directories.