/osquery-s3-config

An osquery config plugin to read from a configuration file stored in an AWS s3 bucket

Primary LanguageGoOtherNOASSERTION

osquery-s3-config

A osquery config plugin to read from a configuration file stored in an AWS s3 bucket.

Building

To build the osquery extension you will need to have the following installed:

To build the extension use the following commands:

make

Configuration

To the run the extension the following environment variables are required to be set:

OSQUERY_S3_CONFIG_BUCKET_NAME
OSQUERY_S3_CONFIG_BUCKET_REGION
OSQUERY_S3_CONFIG_PATH // optional - defaults to `osquery.conf`

AWS configuration

Standard AWS SDK mechanisms for AWS; This includes env vars (AWS_ACCESS_KEY_ID) and profiles (AWS_PROFILE) and IAM authentication.

Troubleshooting

When troubleshooting, ensure you are running osqueryd/osqueryi with the --verbose flag.

Note if running osquery as root you will have to change the ownership of build/osquery-s3-config.ext to root or by passing the --allow_unsafe flag.

Thanks

groob for the example in his blog post Extending osquery with Go.