Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add osquery notes for 7.16 #120407

Merged
merged 4 commits into from
Dec 6, 2021
Merged

add osquery notes for 7.16 #120407

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e60d682
add osquery notes for 7.16
melissaburpo Dec 3, 2021
d5b27e9
address PR feedback
melissaburpo Dec 6, 2021
d43b7da
revise packs note per team input
melissaburpo Dec 6, 2021
25845bc
Apply suggestions from code review
melissaburpo Dec 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions docs/osquery/osquery.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,14 +287,22 @@ you can create roles for users who can only run live or saved queries, but who c
This is useful for teams who need in-depth and detailed control.

[float]
=== Customize Osquery configuration
=== experimental[] Customize Osquery configuration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By including this in the heading, the popup shows up very large. If you place it inline before "By default", it should display better.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good tip - I moved the note down to the start of the paragraph

By default, all Osquery Manager integrations share the same osquery configuration. However, you can customize how Osquery is configured by editing the Osquery Manager integration for each agent policy
you want to adjust. The custom configuration is then applied to all agents in the policy.
This powerful feature allows you to configure
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring[File Integrity Monitoring], https://osquery.readthedocs.io/en/stable/deployment/process-auditing[Process auditing],
and https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-specification[others].

IMPORTANT: Take caution when editing this configuration. The changes you make are distributed to all agents in the policy.
[IMPORTANT]
=========================

* Take caution when editing this configuration. The changes you make are distributed to all agents in the policy.

* Do not edit any `packs` configuration using this field.
When you add a pack from the Osquery *Packs* page in {kib}, this adds the definition to the *Osquery config* JSON field.
However, once a pack is added, it should only be edited from the Osquery *Packs* page.
=========================

. From the {kib} main menu, click *Fleet*, then the *Agent policies* tab.

Expand All @@ -316,6 +324,16 @@ IMPORTANT: Take caution when editing this configuration. The changes you make ar

. Click *Save integration* to apply the custom configuration to all agents in the policy.

As an example, the following configuration disables two tables.

```
{
"options":{
"disable_tables":"curl,process_envs"
}
}
```

[float]
=== Upgrade Osquery versions

Expand Down