Created
August 21, 2018 17:10
-
-
Save andrewkrug/93fd0b5749286c550416703800b63f9c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: "Template to create SSM Document to add OSQuery to a box." | |
| Resources: | |
| LinuxInstallOSQueryDocumentCommand: | |
| Type: AWS::SSM::Document | |
| Properties: | |
| Content: | |
| schemaVersion: "2.2" | |
| description: Run rpm to bootstrap OSQuery onto a system (requires internet gateway). | |
| mainSteps: | |
| - action: aws:runShellScript | |
| name: linuxInstallOSQuery | |
| inputs: | |
| workingDirectory: "/" | |
| runCommand: | |
| - '#!/bin/bash -xe' | |
| - 'echo calling triage script or commands...' | |
| - 'rpm -i https://pkg.osquery.io/rpm/osquery-3.2.6-1.linux.x86_64.rpm' | |
| timeoutSeconds: 3600 | |
| DocumentType: Command | |
| LinuxOSQueryFindNewProcessesDocumentCommand: | |
| Type: AWS::SSM::Document | |
| Properties: | |
| Content: | |
| schemaVersion: "2.2" | |
| description: Finding new processes listening on network ports. | |
| mainSteps: | |
| - action: aws:runShellScript | |
| name: linuxOSQueryFindNewProcesses | |
| inputs: | |
| workingDirectory: "/" | |
| runCommand: | |
| - '#!/bin/bash -xe' | |
| - 'echo calling triage script or commands...' | |
| - 'osqueryi --json "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"' | |
| timeoutSeconds: 3600 | |
| DocumentType: Command |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment