Note – With recent changes in osquery this walkthrough has become a bit dated – it will be updated shortly. In the meantime, refer to the new build docs here: https://github.com/osquery/osquery/blob/master/BUILD.md#windows
This procedure will walk you through how to bundle your custom configs with the osquery binary and output a customized MSI.
-Windows 7 x64, 8.1, or 10
-Chocolatey (Not required exactly, but makes the provisioning much cleaner)
choco install git
1) Clone the Repository
Start out by cloning the repository
git clone https://github.com/facebook/osquery.git
If you want to build a specific release, checkout the corresponding release tag:
git checkout tags/2.11.2
2) Provision the Environment
Next we need to setup the development environment.
Confirm that you have admin privileges, and change directories to the source root.
Execute the following script and follow prompts as required:
If you do not have Chocolatey already installed, it will be installed for you… however, after Chocolatey is installed, the script will most likely fail until the session environment variables are refreshed. If needed, re-run the script again.
3) Build the Binaries
Next up is to build the osquery binaries.
Execute the following script and follow prompts as required: (It will take a bit of time)
4) Build the Custom MSI
Finally, let’s build the MSI with your custom files.
Execute the following script with parameters as required:
This script has a number of parameters:
Allows you to specify either MSI or Chocolatety for output. Can be aliased with ‘Type’
Specify the path to find your osquery config file that you would like to include in the build. Can be aliased with ‘ConfigFile’
Specify the path to find your osquery flag file that you would like to include in the build. Can be aliased with ‘FlagFile’
Specify this option if you want to bundle any other files in the install package
Use this parameter to bundle your certs and the file that contains your enroll secret. The MSI will drop them in the C:\ProgramData\osquery folder.
5) Deploy MSI
Finally, deploy the MSI. It will install both osqueryi and osqueryd; osqueryd will be setup as a service, run under System. Both will be installed under C:\Program Data\osquery
4 thoughts on “Custom Configs with Osquery MSI”
after installation, I see that osqueryi isn’t assigned as environment variable so you can’t run osqueryi (osquery shell) wherever you want on command prompt, you must run it as C:\programdata\osquery\ > osqueryi
Yes, this is a good point. I will update the post with this info, thanks!
Sorry, newb here – so where in the config do I point the agent to an IP and port? I can’t find anything in any specific config file I’ve looked at. I can auto install the agent quickly but have no idea how to tell it to talk to my Kolide server. Kolide is on a Ubuntu instance and the agent is getting installed on a Win 10 machine.
Hey there Cy! The easiest place to put that is in your flag file. The best place to find help on getting connected up to Kolide Fleet is in the #kolide channel in the osquery Slack – you can join the Slack here: https://osquery-slack.herokuapp.com/