Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
go-audit and osquery bootstrap script
#! /bin/bash
sudo su
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
cd /root
# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
tar -xvf go1.7.linux-amd64.tar.gz
mv go /usr/local
mkdir ~/.go
export GOROOT=/usr/local/go
export GOPATH=~/.go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
sudo update-alternatives --set go /usr/local/go/bin/go
# Download go-audit and its dependencies
go get -u
go get -u
cd ~/.go/src/
# Build go-audit
cp go-audit.yaml.example go-audit.yaml
# Download and install osquery
cd /root
dpkg -i osquery_2.1.2_amd64.deb
# Generate sample osquery config file
echo '{
"query": "select * from process_events",
"interval": 10
"query": "select * from socket_events",
"interval": 10
"query": "select * from user_events",
"interval": 10
}' > /etc/osquery/osquery.conf
# Generate osquery flagfile
echo '--disable_audit=false
--audit_allow_sockets' > /etc/osquery/osquery.flags
# Start a tmux session with go-audit in one window and osqueryd in the other
tmux new-session -s "$sn" -d
tmux new-window -t "$sn:1" -n "go-audit" -d
tmux new-window -t "$sn:2" -n "osquery" -d
tmux send-keys -t "$sn:1" 'cd ~/.go/src/' Enter
tmux send-keys -t "$sn:1" './go-audit -config go-audit.yaml | jq .'
tmux send-keys -t "$sn:2" 'cd /etc/osquery' Enter
tmux send-keys -t "$sn:2" 'osqueryd --config_path="/etc/osquery/osquery.conf" --flagfile="/etc/osquery/osquery.flags"'
tmux attach
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment