osquery.conf toegevoegd

DebianTweaks.sh

@@ -86,3 +86,40 @@ deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.asc] https://pkg.osquery.io/
 EOF
 apt update
 apt install -y osquery
+cat >> /etc/osquery/osquery.conf << "EOF"
+{
+    "options": {
+        "config_plugin": "filesystem",
+        "logger_plugin": "filesystem",
+        "utc": "true"
+    },
+
+    "schedule": {
+        "system_info": {
+        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
+        "interval": 3600
+        },
+        "high_load_average": {
+        "query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
+        "interval": 900,
+        "description": "Report if load charge is over 70 percent."
+        },
+        "low_free_memory": {
+        "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
+        "interval": 1800,
+        "description": "Free RAM is under 10%."
+        }
+    },
+
+    "packs": {
+        "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
+        "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
+        "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
+        "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
+        "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf",
+        "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf"
+    }
+}
+EOF
+systemctl enable osqueryd
+systemctl start osqueryd