Note – With recent changes in osquery this walkthrough has become a bit dated – it will be updated shortly. In the meantime, refer to the new build docs here: https://github.com/osquery/osquery/blob/master/BUILD.md#windows
This procedure will walk you through how to bundle your custom configs with the osquery binary and output a customized MSI.
-Windows 7 x64, 8.1, or 10
-Chocolatey (Not required exactly, but makes the provisioning much cleaner)
choco install git
1) Clone the Repository
Start out by cloning the repository
git clone https://github.com/facebook/osquery.git
If you want to build a specific release, checkout the corresponding release tag:
git checkout tags/2.11.2
2) Provision the Environment
Next we need to setup the development environment.
Confirm that you have admin privileges, and change directories to the source root.
Execute the following script and follow prompts as required:
If you do not have Chocolatey already installed, it will be installed for you… however, after Chocolatey is installed, the script will most likely fail until the session environment variables are refreshed. If needed, re-run the script again.
3) Build the Binaries
Next up is to build the osquery binaries.
Execute the following script and follow prompts as required: (It will take a bit of time)
4) Build the Custom MSI
Finally, let’s build the MSI with your custom files.
Execute the following script with parameters as required:
This script has a number of parameters:
Allows you to specify either MSI or Chocolatety for output. Can be aliased with ‘Type’
Specify the path to find your osquery config file that you would like to include in the build. Can be aliased with ‘ConfigFile’
Specify the path to find your osquery flag file that you would like to include in the build. Can be aliased with ‘FlagFile’
Specify this option if you want to bundle any other files in the install package
Use this parameter to bundle your certs and the file that contains your enroll secret. The MSI will drop them in the C:\ProgramData\osquery folder.
5) Deploy MSI
Finally, deploy the MSI. It will install both osqueryi and osqueryd; osqueryd will be setup as a service, run under System. Both will be installed under C:\Program Data\osquery