Policy types for @turbot/osquery

Turbot > Workspace > osquery

The osquery policy in your workspace plays a crucial role in controlling access and functionality related to the osquery integration.
This policy directly influences the generation of JWT tokens and the availability of specific osquery-related APIs.

If the policy is set to Disabled, the APIs will not be operational, and the system will not generate JWT tokens. This means that you won't be able to enroll new agents, alter configurations, or log data via osquery until the policy is re-enabled.

Ensure that this policy is enabled if you need to use osquery features within your workspace.

URI
tmod:@turbot/osquery#/policy/types/workspaceOsquery
Category
Targets
Valid Value
[
"Enabled",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled"
],
"default": "Enabled"
}

Turbot > Workspace > osquery > Enroll Secret Expiration

The policy specifies the duration after which the JWT token issued by osquery will expire.

The expiration time is critical for security, ensuring that tokens are not valid indefinitely and reducing the risk of unauthorized access.

You can set the duration in Hours to determine how long before the entity expires. If you require that the entity never expires, you can set the policy to Never.

URI
tmod:@turbot/osquery#/policy/types/workspaceOsqueryEnrollSecretExpiration
Category
Targets
Valid Value
[
"1 hour",
"12 hours",
"1 day",
"15 days",
"1 month",
"2 months",
"3 months",
"6 months",
"1 year",
"2 years",
"3 years",
"5 years",
"Never"
]
Schema
{
"type": "string",
"enum": [
"1 hour",
"12 hours",
"1 day",
"15 days",
"1 month",
"2 months",
"3 months",
"6 months",
"1 year",
"2 years",
"3 years",
"5 years",
"Never"
],
"default": "1 hour"
}

Turbot > Workspace > osquery > Secrets

The JWT token is signed by Turbot using a secret from osquery > Secrets, as set by this
policy. This ensures that fake tokens cannot be generated or used.

Turbot sets this policy on installation to complex password unique to your
workspace. This is a secure, effective default.

To ensure secrets work, even during rotation, this policy is defined as an
array. The first item is the current secret and is used to sign all newly
issued tokens. Other secrets in the array are used for verifying existing
tokens only.

osquery Secrets are generally either distributed manually, making them difficult
to rotate, or managed by Turbot (e.g. with Stacks) and automatically rotated
per the Turbot > Workspace > osquery Secrets > Rotation policy.

If you wish or need to rotate this secret manually, you should:
1. Add a new secret as the first item in the array, leaving existing secrets below.
2. Update the policy to remove old secrets that are no longer valid.

This policy defines a list of objects, including creation, expiration and
active information for each secret. For example:
<br />[<br /> {<br /> &quot;secret&quot;: &quot;E!TJ8x4!P15ic=DN&quot;,<br /> &quot;created&quot;: &quot;2020-07-28T21:32:27.537Z&quot;,<br /> &quot;expiration&quot;: &quot;2021-03-31T00:00:00.000Z&quot;,<br /> &quot;isActive&quot;: true<br /> }<br />]<br />

URI
tmod:@turbot/osquery#/policy/types/workspaceOsquerySecrets
Category
Targets
Schema
{
"type": "array",
"items": {
"type": "object",
"properties": {
"secret": {
"type": "string"
},
"created": {
"type": "string",
"format": "date-time"
},
"expiration": {
"type": "string",
"format": "date-time"
},
"isActive": {
"type": "boolean"
}
},
"additionalProperties": false
},
"minItems": 2,
"default": [
{
"secret": "turbot",
"isActive": false
}
]
}

Turbot > Workspace > osquery > Secrets > Expiration Period

Rotation of osquery JWT tokens should be performed to ensure the Expiration<br />Period is never exceeded. For example, if osquery > Secrets > Rotation
is set to Enforce: ... and this policy is set to 1 year, then osquery
secrets will actually be rotated every 6 months or so (half the period).

URI
tmod:@turbot/osquery#/policy/types/workspaceOsquerySecretsExpirationPeriod
Category
Targets
Valid Value
[
"1 month",
"2 months",
"3 months",
"6 months",
"1 year",
"2 years",
"3 years",
"5 years",
"Never"
]
Schema
{
"type": "string",
"enum": [
"1 month",
"2 months",
"3 months",
"6 months",
"1 year",
"2 years",
"3 years",
"5 years",
"Never"
],
"default": "Never"
}

Turbot > Workspace > osquery > Secrets > Rotation

Check or Enforce that Turbot > Workspace > osquery > Secrets are being
per the Turbot > Workspace > osquery > Secrets > Expiration Period policy.
For example, secrets must be rotated every year.

This policy is very useful when combined with Turbot's automatic management
of event handlers across cloud providers.


If your organization requires continuous rotation of secrets, then use Turbot
automation combined with Enforce: Rotate osquery secret.

A common (and practical) policy position is having the ability to rotate secrets
when required - as opposed to continuous rotating them. In that case you could
set this policy to Check combined with an expiration period of Never.

URI
tmod:@turbot/osquery#/policy/types/workspaceOsquerySecretsRotation
Category
Targets
Default Template Input
"{\n osquery: policy(uri:\"#/policy/types/workspaceOsquery\")\n}\n"
Default Template
"{%- if $.osquery == &#39;Enabled&#39; -%}&#92;n&#39;Enforce: Rotate osquery secret&#39;&#92;n{%- else -%}&#92;nSkip&#92;n{%- endif -%}&#92;n"
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: osquery secret requires rotation",
"Enforce: Rotate osquery secret"
],
"example": [
"Check: osquery secret requires rotation"
]
}

Turbot > osquery > Configuration

A calculated policy that contains the osquery configuration that is sent to the osquery node. This configuration often contains options, scheduled queries, decorator queries, and more.

URI
tmod:@turbot/osquery#/policy/types/osqueryConfiguration
Schema
{
"type": "object"
}