silikongrey.blogg.se - Osquery file integrity monitoring

Also note that changed the configuration to send the host identifier as ec2 instance id. Installation of osquery is a breeze, it supports native package installation methods, such as yum, apt-get or ansible.Īgent configuration, /etc/osquery/nf, has a couple of pieces. Step 1: OsQuery Installation, configuration Putting a bucket notification on the bucket and pinging a Lambda that has the logic to analyze for workflows would solve the workflow piece of the puzzle.īelow is the architecture. Osquery has inbuilt option for streaming right into Kinesis, and Kinesis firehose can stream into S3, which fits our long term storage requirement. Osquery fit the requirements well, it uses inotify (aka no file hashes), the FIM module has flexible rule structure, that enables us to do surgical monitoring. Analytics that would not generate noise from alerting perspective.

Backend that would not need any servers to maintain.

Cheap persistent long term storage for raw events and alerts.

Configurable rules, so we can reduce the traffic between the hosts and the backend surgical to what files need to be monitored.

Agent that is battle tested and that has solution that would not do file hashes.

So we embarked on a journey to see whether we find a simple battle tested agent to collect file events, make an easy backend for FIM using native AWS services and Lambda, right inline with our philosophy of Serverless, keeping the data inside the customers infrastructure etc. File Integrity Monitoring on AWS using OSQuery, Kinesis and LambdaĪ lot of our customers have requirements around File Integrity Monitoring (FIM) on AWS and they cannot send data out of their environment because of compliance requirements.