-1

My task is to install only the OSquery daemon manually I do not want OSquery shell i.e.osqueryi. So I figure out that I need to ship a few files/executables to their respective locations and then start the OSquery service using the command "sudo systemctl start osqueryd". 

The files needed to ship are:

  • /usr/lib/systemd/system/osqueryd.service - service file to start the OSquery service

  • /etc/default/osqueryd - According to the service file, this location requires one executable.

  • /opt/osquery/bin/osqueryd - According to the service file, this location requires one executable.

  • /etc/init.d/osqueryd - Executable daemon

  • /etc/osquery/osquery.conf - OSquery configuration file 

Is this the right way to go about it? Please suggest if there is any other, simpler way.

James Z
  • 12,209
  • 10
  • 24
  • 44
User0987
  • 91
  • 1
  • 6

1 Answers1

0

The osquery shell (osqueryi) is actually the same binary as the osquery daemon (osqueryd). There is logic in the osquery startup process that looks at the name of the binary and starts in either daemon or shell mode. In a typical installation, the osqueryi binary is symlinked to the osqueryd binary.

Because the osqueryd binary is statically linked, "installing" it can be as simple as putting the binary on disk somewhere (eg. /opt/osquery/bin/osqueryd). You also probably want a service file that starts that binary (eg. /usr/lib/systemd/system/osqueryd.service). It's not strictly required, but you probably also want an osquery configuration file and/or flagfile (so that osquery can actually do something once started).

Note your /etc/default/osqueryd should not be a binary (it should be environment variable defaults. /etc/init.d/osqueryd is also not required unless you are using the older style init (rather than systemd).

Zach
  • 1,263
  • 11
  • 25