audit_from_osquery

Audit a system property through osquery.

⚙️ Compatible targets: Linux

Parameters

NameDocumentation
queryThe query to execute (ending with a semicolon).

This parameter is required.
comparatorThe comparator to use ('=', '!=' or '~', default is '=').

Choices:
  • =
  • !=
  • ~

This parameter is optional.
valueThe expected value.

This parameter is required.

Outcome conditions

You need to replace ${query} with its actual canonified value.

  • ✅ Ok: audit_from_osquery_${query}_ok
    • ☑️ Already compliant: audit_from_osquery_${query}_kept
    • 🟨 Repaired: audit_from_osquery_${query}_repaired
  • ❌ Error: audit_from_osquery_${query}_error

Example

method: audit_from_osquery
params:
  value: VALUE
  comparator: =
  query: VALUE

Documentation

This method uses osquery to fetch information about the system, and compares the value with the given one, using the provided comparator.

Parameters

  • query is an osquery query returning exactly one result
  • comparator is the comparator to use: "=" for equality, "!=" for non-equality, "~" for regex comparison
  • value is the expected value, can be a string or a regex depending on the comparator

Setup

This method requires the presence of osquery on the target nodes. It won't install it automatically. Check the correct way of doing so for your OS.

Building queries

To learn about the possible queries, read the osquery schema for your osquery version.

You can test the queries before using them with the osqueryi command, see the example below.

osqueryi "select cpu_logical_cores from system_info;"

You need to provide a query that returns exactly one value. If it's not the case, the method will fail as it does not know what to check.

Examples

# To check the number of cpus on the machine
audit_from_osquery("select cpu_logical_cores from system_info;", "2");

Will report a compliant report if the machine has 3 cores, and a non compliant one if not.