Using PowerShell with command line wodle
365 views
Skip to first unread message
Carlos Lopez
Apr 8, 2021, 5:01:38 AM4/8/21
to wa...@googlegroups.com
Hi all,
I need help from this fantastic community :). I am using the following script to install/update/upgrade Osquery automatically in all my macOS clients using the command wodle feature:
#!/bin/bash
install_version="4.7.0"
down_url="https://pkg.osquery.io/darwin/osquery-${install_version}.pkg"
pkg="/tmp/osquery.pkg"
if [ ! -x /usr/local/bin/osqueryi ]; then
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
exit 0
fi
elif [ "$(/usr/local/bin/osqueryi --version | awk '{print $3}')" != "$install_version" ]; then
launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm -rf /private/var/log/osquery
rm -rf /private/var/osquery
rm /usr/local/bin/osquery*
pkgutil --forget com.facebook.osquery
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
fi
fi
install_version="4.7.0"
down_url="https://pkg.osquery.io/darwin/osquery-${install_version}.pkg"
pkg="/tmp/osquery.pkg"
if [ ! -x /usr/local/bin/osqueryi ]; then
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
exit 0
fi
elif [ "$(/usr/local/bin/osqueryi --version | awk '{print $3}')" != "$install_version" ]; then
launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm -rf /private/var/log/osquery
rm -rf /private/var/osquery
rm /usr/local/bin/osquery*
pkgutil --forget com.facebook.osquery
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
fi
fi
My idea is to do the same, but this time only for Windows clients. My knowledge of powershell is null :) … but maybe it is best idea
to create a .bat file …
Can someone help me to "translate" this script to powershell?
Many many thanks in advance.
Best regards,
C. L. Martinez
Miguel Angel Cazajous
May 28, 2021, 6:43:46 PM5/28/21
to Wazuh mailing list
Hello Carlos, hope you are doing well.
Sorry for the late response. I created a script that installs Osquery when it does not exist in the system and update it if there's a newer release.
I notice you use a hardcoded variable for the version. Since Osquery is available on GitHub we can use the API to ask for the latest release.
As well as you did with MacOS you can follow this guide if some step is missing
https://osquery.readthedocs.io/en/stable/installation/install-windows/
And then configure the way you did the wodle command using the following documentation
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-command.html
I hope this was useful for you. Thank you for contacting us!.
Sorry for the late response. I created a script that installs Osquery when it does not exist in the system and update it if there's a newer release.
I notice you use a hardcoded variable for the version. Since Osquery is available on GitHub we can use the API to ask for the latest release.
As well as you did with MacOS you can follow this guide if some step is missing
https://osquery.readthedocs.io/en/stable/installation/install-windows/
And then configure the way you did the wodle command using the following documentation
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-command.html
I hope this was useful for you. Thank you for contacting us!.
Carlos Lopez
Jun 1, 2021, 3:55:31 AM6/1/21
to Miguel Angel Cazajous, Wazuh mailing list
Thanks Miguel Angel .... I have tested your script, but wazuh's agent constantly restart after install osquery ... And on the other side, osquery change startup state to automatic ... and if I am not wrong, it needs to be Manual...
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Miguel Angel Cazajous <miguel....@wazuh.com>
Sent: 29 May 2021 00:43
To: Wazuh mailing list
Subject: Re: Using PowerShell with command line wodle
https://osquery.readthedocs.io/en/stable/installation/install-windows/
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-command.html
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/809f4f93-4989-4d27-a314-a4449c443f3cn%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/809f4f93-4989-4d27-a314-a4449c443f3cn%40googlegroups.com?utm_medium=email&utm_source=footer>.
Miguel Angel Cazajous
Jun 1, 2021, 1:41:29 PM6/1/21
to Wazuh mailing list
Hi Carlos,
To stop restarting Wazuh, this line from the script I previously sent you should be removed, I tried to replicate your previous script but probably wasn't what you needed.
Restart-Service -DisplayName "Wazuh" -Verbose
The difference between manual and automatic is that the first one won't be started at boot time, but for a specific event.
For your needs, it's possible to change the startup type of service from Powershell.
To change the startup type of the osqueryd service here a code snippet that may help you.
$service_name = "osqueryd"
if(Get-Service $service_name -ErrorAction SilentlyContinue){
Set-Service osqueryd -StartupType Manual -ErrorAction SilentlyContinue
}
In this case, we are using the installation via MSI package, but you could get osquery installed using chocolatey or a manual installation.
Also, inside the osquery installation path, there's a PowerShell script (manage-osqueryd.ps1) that lets you manage the osqueryd daemon service.
To dig more into details you may want to check the official documentation.
https://osquery.readthedocs.io/en/stable/installation/install-windows/
I attach a modified version of the script so you can play with it.
I hope this helps you. Regards!
To stop restarting Wazuh, this line from the script I previously sent you should be removed, I tried to replicate your previous script but probably wasn't what you needed.
Restart-Service -DisplayName "Wazuh" -Verbose
The difference between manual and automatic is that the first one won't be started at boot time, but for a specific event.
For your needs, it's possible to change the startup type of service from Powershell.
To change the startup type of the osqueryd service here a code snippet that may help you.
$service_name = "osqueryd"
if(Get-Service $service_name -ErrorAction SilentlyContinue){
Set-Service osqueryd -StartupType Manual -ErrorAction SilentlyContinue
}
In this case, we are using the installation via MSI package, but you could get osquery installed using chocolatey or a manual installation.
Also, inside the osquery installation path, there's a PowerShell script (manage-osqueryd.ps1) that lets you manage the osqueryd daemon service.
To dig more into details you may want to check the official documentation.
https://osquery.readthedocs.io/en/stable/installation/install-windows/
I attach a modified version of the script so you can play with it.
I hope this helps you. Regards!
Reply all
Reply to author
Forward
0 new messages