-
Notifications
You must be signed in to change notification settings - Fork 0
deployment
Prior to distributing osquery to your infrastructure, please:
- Verify you understand your configuration options
- Verify you have a good understanding of osqueryi and the commands and tables available
Install the osquery repository, download the latest-stable package, or build a custom package by following the install instructions.
You can now distribute and install the package across your infrastructure. The few library dependencies are included with the package management metadata. The packages include init and example config files but in all cases the osqueryd daemon will install-disabled.
Our recommended OS X install is through Homebrew, but this does not scale for large organizations. For large deployments we publish a latest-stable OS X PKG built from the latest Github-tagged release with instructions.
However, we also support building customized packages through our build process. We try to remove as many build confounds for OS X in our CMake logic.
Once you've built the code and set up a config, run the following command from the root of the osquery repository:
$ ./tools/deployment/make_osx_package.sh -c ~/path/to/my/osquery.conf
This tool will build an OSX package with:
- the osqueryi and osqueryd binaries
- the LaunchDaemon that is responsible for osqueryd
- the osqueryd config file that was specified via the command line
Here is the output from us running make_osx_package.sh:
$ ./tools/deployment/make_osx_package.sh -c ~/Desktop/osquery.conf
[+] no custom launchd path was defined. using /Users/reed/git/github/osquery/tools/deployment/com.facebook.osqueryd.plist
[+] copying osquery binaries
[+] copying osquery configurations
[+] finalizing preinstall and postinstall scripts
[+] creating package
[+] package created at ~/git/osquery/osqueryd.pkg
As you can see, the distributable package can be found at ~/git/osquery/osqueryd.pkg.
You can now use your existing package distribution system (JAMF, Chef, etc) to push this package to your infrastructure.
If you want to modify the command-line arguments used to start osquery, copy and modify the LaunchDaemon which is included with this repository to suit your liking. When you run make_osx_package.sh, include a -l/--launchd-path flag which indicates the path of your new LaunchDaemon. If specified, this will be used instead of the default LaunchDaemon. For example:
./tools/deployment/make_osx_package.sh -c /internal/osquery/osquery.conf -l /internal/osquery/com.facebook.osqueryd.plist
Perhaps you just want to deploy the osquery binaries via a pkg and you'd like to manage the scheduling of osqueryd via some other mechanism. To do this, when you run make_osx_package.sh, include a -n/--no-launchd flag. This will make the package just lay the binaries down. The LaunchDaemon won't be included and no LaunchDaemon will be unloaded or loaded by the post-install script of the package. For example:
./tools/deployment/make_osx_package.sh -n