audit_from_osquery
Audit a system property through osquery.
⚙️ Compatible targets: Linux
Parameters
| Name | Documentation |
|---|---|
| query | The query to execute (ending with a semicolon). This parameter is required. |
| comparator | The comparator to use ('=', '!=' or '~', default is '='). Choices:
This parameter is optional. |
| value | The expected value. This parameter is required. |
Outcome conditions
You need to replace ${query} with its actual canonified value.
- ✅ Ok:
audit_from_osquery_${query}_ok- ☑️ Already compliant:
audit_from_osquery_${query}_kept - 🟨 Repaired:
audit_from_osquery_${query}_repaired
- ☑️ Already compliant:
- ❌ Error:
audit_from_osquery_${query}_error
Example
method: audit_from_osquery
params:
comparator: =
value: VALUE
query: VALUE
Documentation
This method uses osquery to fetch information about the system, and compares the value with the given one, using the provided comparator.
Parameters
queryis an osquery query returning exactly one resultcomparatoris the comparator to use: "=" for equality, "!=" for non-equality, "~" for regex comparisonvalueis the expected value, can be a string or a regex depending on the comparator
Setup
This method requires the presence of osquery on the target nodes. It won't install it automatically. Check the correct way of doing so for your OS.
Building queries
To learn about the possible queries, read the osquery schema for your osquery version.
You can test the queries before using them with the osqueryi command, see the example below.
osqueryi "select cpu_logical_cores from system_info;"
You need to provide a query that returns exactly one value. If it's not the case, the method will fail as it does not know what to check.
Examples
# To check the number of cpus on the machine
audit_from_osquery("select cpu_logical_cores from system_info;", "2");
Will report a compliant report if the machine has 3 cores, and a non compliant one if not.