Skip to content

Commit b10d5b3

Browse files
SolitudePySolitudePy
committed
core: add osquery path argument override
1 parent fb972d6 commit b10d5b3

1 file changed

Lines changed: 34 additions & 10 deletions

File tree

LFC/LFC.sh

Lines changed: 34 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,14 @@
22

33
# Function to display usage information
44
usage() {
5-
echo "Usage: $0 [OUTPUT_DIRECTORY] [--no-osquery] [--tcp-stream IP:PORT]"
5+
echo "Usage: $0 [OUTPUT_DIRECTORY] [--no-osquery] [--tcp-stream IP:PORT] [--osqueryi-path PATH]"
66
echo " OUTPUT_DIRECTORY: Optional. Directory where forensic artifacts will be collected."
77
echo " Default: /tmp/lfc_<hostname>_<timestamp>"
88
echo " --no-osquery: Optional. Skip osquery collection."
99
echo " --tcp-stream: Optional. Stream tarball to specified IP:PORT over TCP."
1010
echo " Format: IP:PORT (e.g., 192.168.1.100:8080)"
11+
echo " --osqueryi-path: Optional. Path to osqueryi binary."
12+
echo " Default: /usr/bin/osqueryi"
1113
echo ""
1214
echo "Examples:"
1315
echo " $0 # Use default output directory (/tmp/lfc_<hostname>_<timestamp>) and run osquery"
@@ -16,13 +18,14 @@ usage() {
1618
echo " $0 /var/output --no-osquery # Use custom output directory and skip osquery"
1719
echo " $0 --tcp-stream 192.168.1.100:8080 # Stream artifacts over TCP"
1820
echo " $0 /var/output --no-osquery --tcp-stream 10.0.0.5:9999 # Custom dir, no osquery, TCP stream"
21+
echo " $0 --osqueryi-path /opt/osquery/bin/osqueryi # Use custom osqueryi path"
1922
exit 1
2023
}
2124

22-
# Parse command line arguments
2325
SKIP_OSQUERY=false
2426
TEMP_OUTPUT_DIR=""
2527
TCP_STREAM=""
28+
TEMP_OSQUERYI_PATH=""
2629

2730
while [[ $# -gt 0 ]]; do
2831
case $1 in
@@ -31,10 +34,10 @@ while [[ $# -gt 0 ]]; do
3134
;;
3235
--no-osquery)
3336
SKIP_OSQUERY=true
34-
shift # Remove --no-osquery from processing
37+
shift
3538
;;
3639
--tcp-stream)
37-
# Next argument should be IP:PORT
40+
3841
shift
3942
TCP_STREAM="$1"
4043
if [[ ! "$TCP_STREAM" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+$ ]]; then
@@ -52,6 +55,25 @@ while [[ $# -gt 0 ]]; do
5255
fi
5356
shift
5457
;;
58+
--osqueryi-path)
59+
# Next argument should be the path to osqueryi
60+
shift
61+
TEMP_OSQUERYI_PATH="$1"
62+
if [ ! -x "$TEMP_OSQUERYI_PATH" ]; then
63+
echo "Warning: osqueryi binary not found or not executable at $TEMP_OSQUERYI_PATH"
64+
echo "Continuing anyway - will be checked again during osquery collection phase"
65+
fi
66+
shift
67+
;;
68+
--osqueryi-path=*)
69+
# Handle --osqueryi-path=PATH format
70+
TEMP_OSQUERYI_PATH="${1#*=}"
71+
if [ ! -x "$TEMP_OSQUERYI_PATH" ]; then
72+
echo "Warning: osqueryi binary not found or not executable at $TEMP_OSQUERYI_PATH"
73+
echo "Continuing anyway - will be checked again during osquery collection phase"
74+
fi
75+
shift
76+
;;
5577
-*)
5678
echo "Error: Unknown option $1"
5779
usage
@@ -74,6 +96,9 @@ TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
7496
HOSTNAME=$(hostname -s)
7597
OUTPUT_DIR="${TEMP_OUTPUT_DIR:-/tmp/lfc_${HOSTNAME}_${TIMESTAMP}}"
7698

99+
# Set osqueryi path (use argument if provided, otherwise default)
100+
OSQUERYI_PATH="${TEMP_OSQUERYI_PATH:-/usr/bin/osqueryi}"
101+
77102
# Validate output directory path
78103
if [ -z "$OUTPUT_DIR" ]; then
79104
echo "Error: Output directory cannot be empty."
@@ -90,7 +115,7 @@ fi
90115
# Start time
91116
START_TIME=$(date +%s)
92117

93-
# Constant Variables (derived from OUTPUT_DIR)
118+
# Constant Variables (derived from $OUTPUT_DIR)
94119
ZIP_DIR="$(dirname "$OUTPUT_DIR")"
95120
LOGFILE="$OUTPUT_DIR/log_file.log"
96121
SYSTEM_ANALYSIS="$OUTPUT_DIR/System_Analysis"
@@ -102,7 +127,6 @@ PROCESS_ANALYSIS_DIR="$OUTPUT_DIR/Process_Analysis"
102127
OSQUERY_ANALYSIS_DIR="$OUTPUT_DIR/osquery"
103128

104129
# osquery settings
105-
OSQUERY_PATH="/usr/bin/osqueryi" # Default path to osqueryi, adjust if needed
106130
OSQUERY_OUTPUT_FORMAT="json" # Output format for osquery: json, csv, etc.
107131

108132
recent_modified_files_threshold=24 # Time threshold in hours for recent modified files.
@@ -602,9 +626,9 @@ run_osquery_collection() {
602626
return
603627
fi
604628

605-
if ! command -v "$OSQUERY_PATH" &> /dev/null; then
606-
write_log "WARNING" "osqueryi not found at $OSQUERY_PATH. Skipping osquery collection."
607-
write_log "WARNING" "Please install osquery or adjust OSQUERY_PATH variable in the script."
629+
if ! command -v "$OSQUERYI_PATH" &> /dev/null; then
630+
write_log "WARNING" "osqueryi not found at $OSQUERYI_PATH. Skipping osquery collection."
631+
write_log "WARNING" "Please install osquery or use --osqueryi-path to specify the correct path."
608632
return
609633
fi
610634

@@ -655,7 +679,7 @@ run_osquery_collection() {
655679
outfile="$OSQUERY_ANALYSIS_DIR/${filename_base}.$OSQUERY_OUTPUT_FORMAT"
656680
write_log "INFO" "Running osquery: $query -> $outfile"
657681
# Redirect osqueryi stderr to the main log file
658-
if echo "$query" | "$OSQUERY_PATH" --"$OSQUERY_OUTPUT_FORMAT" > "$outfile" 2>> "$LOGFILE"; then
682+
if echo "$query" | "$OSQUERYI_PATH" --"$OSQUERY_OUTPUT_FORMAT" > "$outfile" 2>> "$LOGFILE"; then
659683
write_log "INFO" "Successfully executed: $query"
660684
else
661685
write_log "ERROR" "Error executing osquery: $query. Exit code: $?. Output file $outfile may be empty or incomplete. Check $LOGFILE for osquery error messages."

0 commit comments

Comments
 (0)