-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathcheck-osquery.sh
47 lines (42 loc) · 1.73 KB
/
check-osquery.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# check-osquery.sh
# developed by Branch Network Consulting, LLC
#
# Determines if Osquery needs to be installed/upgraded to the target version on a system.
# To be run on Windows agents in "osquery" agent group from /var/ossec/custbin/ by a local "check-osquery" Wazuh command on every agent restart
#
# <ossec_config>
# <localfile>
# <log_format>command</log_format>
# <alias>check-osquery</alias>
# <command>custbin/check-osquery.sh</command>
# <frequency>86400</frequency>
# </localfile>
# </ossec_config>
#
# Outputs "0" if no target Osquery version defined in osquery-target-version.txt.
# Outputs "0" if Osquery is already loaded and at the target version.
# Outputs the target version number to indicate Osquery state needs to be remediated on this host.
#
# A Wazuh rule watching for non-zero "check-osquery" command output should trip a custom Wazuh integration to push a custom WPK corresponding
# to the reported target version, to install Osquery and this script and the related Wazuh command to the agent.
#
# Is Osquery expected for this OS environment?
if [ ! -f /var/ossec/etc/shared/osquery-target-version.txt ]; then
echo "0"
exit
fi
InstalledVersion=`/usr/bin/osqueryi --csv "select version from osquery_info;" | tail -n1`
InstalledVersion=`echo $InstalledVersion | sed 's/\s*\([^\s]\+\)\s*/\1/'`
TargetOsqueryVersion=`cat /var/ossec/etc/shared/osquery-target-version.txt`
TargetOsqueryVersion=`echo $TargetOsqueryVersion | sed 's/\s*\([^\s]\+\)\s*/\1/'`
if [ ! "$InstalledVersion" = "$TargetOsqueryVersion" ]; then
echo "$TargetOsqueryVersion"
exit
fi
sleep 10
if [[ ! `ps auxw | grep -v grep | egrep "osqueryd.*osquery-linux.conf"` ]]; then
echo "$TargetOsqueryVersion"
exit
fi
echo "0"
exit