Skip to content

[osquerybeat] Support custom osquery artifact install  #48955

Description

@marc-gr

Describe the enhancement:

Add runtime support in osquerybeat to keep bundled osqueryd as the default, while optionally installing and running osqueryd from a user-provided artifact URL.

The enhancement should introduce a secure, configurable custom install flow with:

  • osquery_install.artifact_url
  • osquery_install.sha256
  • osquery_install.allow_insecure_url (optional, default false; for non-HTTPS test/dev only)
  • osquery_install.ssl (TLS config, same style as other Beats SSL settings)

Behavior requirements:

  • If artifact_url is not set, current bundled behavior remains unchanged.
  • If artifact_url is removed after a prior custom install, remove previous managed custom artifact state and use bundled osquery.
  • If artifact_url is set:
    • download artifact
    • verify SHA256
    • extract platform package (tar, zip, msi, pkg)
    • validate binary identity (osqueryd --version, executable checks, platform layout checks)
    • install in the same directory used for bundled osquery
    • use custom binPath on success
    • when updating to a new checksum, remove the previous installed release
  • Failure handling:
    • any custom artifact install/validation error fails startup with a clear error and beat status failed

Extension compatibility:

  • Preserve current extension autoload guarantees (Elastic extension mandatory first entry).
  • Ensure extension works when osqueryd comes from custom install (either keep extension path explicit from bundled location or ensure it is available in selected runtime path).

Safety and operational requirements:

  • Enforce HTTPS artifact URLs by default (allow explicit insecure override only for non-prod/testing).
  • Keep installation idempotent (reuse when checksum/version already active).
  • Record selected source (bundled vs custom) and effective osquery_version in manager payload/logs.
  • Add tests for config validation, checksum mismatch, extraction/layout validation, binary validation, strict startup failure behavior, and extension/autoload invariants.
  • Document new config options in reference config templates.
Image

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions