2017-11-15 23:10:11 +00:00
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
2021-07-21 14:04:50 +00:00
|
|
|
kind: config
|
2017-11-12 18:58:19 +00:00
|
|
|
spec:
|
2021-07-21 14:04:50 +00:00
|
|
|
agent_options:
|
|
|
|
|
config:
|
|
|
|
|
decorators:
|
|
|
|
|
load:
|
|
|
|
|
- SELECT uuid AS host_uuid FROM system_info;
|
|
|
|
|
- SELECT hostname AS hostname FROM system_info;
|
|
|
|
|
options:
|
|
|
|
|
disable_distributed: false
|
|
|
|
|
distributed_interval: 10
|
|
|
|
|
distributed_plugin: tls
|
|
|
|
|
distributed_tls_max_attempts: 3
|
|
|
|
|
logger_plugin: tls
|
|
|
|
|
logger_tls_endpoint: /api/v1/osquery/log
|
|
|
|
|
logger_tls_period: 10
|
|
|
|
|
pack_delimiter: /
|
|
|
|
|
overrides: {}
|
|
|
|
|
host_expiry_settings:
|
|
|
|
|
host_expiry_enabled: false
|
|
|
|
|
host_expiry_window: 0
|
|
|
|
|
host_settings:
|
|
|
|
|
additional_queries: null
|
|
|
|
|
org_info:
|
|
|
|
|
org_logo_url: ""
|
|
|
|
|
org_name: org
|
|
|
|
|
server_settings:
|
|
|
|
|
enable_analytics: true
|
|
|
|
|
live_query_disabled: false
|
|
|
|
|
server_url: https://localhost:8080
|
|
|
|
|
smtp_settings:
|
|
|
|
|
authentication_method: authmethod_plain
|
|
|
|
|
authentication_type: authtype_username_password
|
|
|
|
|
configured: false
|
|
|
|
|
domain: ""
|
|
|
|
|
enable_smtp: false
|
|
|
|
|
enable_ssl_tls: true
|
|
|
|
|
enable_start_tls: true
|
|
|
|
|
password: "********"
|
|
|
|
|
port: 587
|
|
|
|
|
sender_address: ""
|
|
|
|
|
server: ""
|
|
|
|
|
user_name: ""
|
|
|
|
|
verify_ssl_certs: true
|
|
|
|
|
sso_settings:
|
|
|
|
|
enable_sso: false
|
|
|
|
|
enable_sso_idp_login: false
|
|
|
|
|
entity_id: ""
|
|
|
|
|
idp_image_url: ""
|
|
|
|
|
idp_name: ""
|
|
|
|
|
issuer_uri: ""
|
|
|
|
|
metadata: ""
|
|
|
|
|
metadata_url: ""
|
2017-11-12 18:58:19 +00:00
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
2020-05-29 16:12:39 +00:00
|
|
|
kind: enroll_secret
|
|
|
|
|
spec:
|
|
|
|
|
secrets:
|
2021-07-21 14:04:50 +00:00
|
|
|
- secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
|
|
|
|
|
- secret: reallyworks
|
|
|
|
|
- secret: thissecretwontwork!
|
2020-05-29 16:12:39 +00:00
|
|
|
---
|
|
|
|
|
apiVersion: v1
|
2018-05-07 23:50:20 +00:00
|
|
|
kind: label
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2018-05-14 18:23:38 +00:00
|
|
|
name: pending_updates
|
2017-11-16 04:23:37 +00:00
|
|
|
query: pending_updates
|
|
|
|
|
platforms:
|
|
|
|
|
- darwin
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: label
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2018-05-09 00:10:01 +00:00
|
|
|
name: slack_not_running
|
2017-11-16 04:23:37 +00:00
|
|
|
query: slack_not_running
|
2017-11-12 18:58:19 +00:00
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: pack
|
2017-11-12 18:58:19 +00:00
|
|
|
spec:
|
2017-11-16 04:23:37 +00:00
|
|
|
name: osquery_monitoring
|
2017-11-12 18:58:19 +00:00
|
|
|
queries:
|
2017-11-16 04:23:37 +00:00
|
|
|
- query: osquery_version
|
|
|
|
|
name: osquery_version_snapshot
|
2017-11-15 23:10:11 +00:00
|
|
|
interval: 7200
|
|
|
|
|
snapshot: true
|
2017-11-16 04:23:37 +00:00
|
|
|
- query: osquery_version
|
|
|
|
|
name: osquery_version_differential
|
|
|
|
|
interval: 7200
|
|
|
|
|
- query: osquery_schedule
|
2017-11-12 18:58:19 +00:00
|
|
|
interval: 7200
|
|
|
|
|
removed: false
|
2017-11-16 04:23:37 +00:00
|
|
|
- query: osquery_events
|
2017-11-12 18:58:19 +00:00
|
|
|
interval: 86400
|
|
|
|
|
removed: false
|
2018-05-10 22:07:14 +00:00
|
|
|
- query: osquery_info
|
2017-11-12 18:58:19 +00:00
|
|
|
interval: 600
|
|
|
|
|
removed: false
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2017-11-15 23:10:11 +00:00
|
|
|
name: osquery_version
|
|
|
|
|
description: The version of the Launcher and Osquery process
|
|
|
|
|
query: select launcher.version, osquery.version from kolide_launcher_info launcher, osquery_info osquery;
|
|
|
|
|
support:
|
|
|
|
|
launcher: 0.3.0
|
|
|
|
|
osquery: 2.9.0
|
2017-11-12 18:58:19 +00:00
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2017-11-15 23:10:11 +00:00
|
|
|
name: osquery_schedule
|
|
|
|
|
description: Report performance stats for each file in the query schedule.
|
|
|
|
|
query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2017-11-15 23:10:11 +00:00
|
|
|
name: osquery_info
|
|
|
|
|
description: A heartbeat counter that reports general performance (CPU, memory) and version.
|
|
|
|
|
query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
2017-11-15 23:10:11 +00:00
|
|
|
name: osquery_events
|
|
|
|
|
description: Report event publisher health and track event counters.
|
|
|
|
|
query: select name, publisher, type, subscriptions, events, active from osquery_events;
|
2017-11-16 04:23:37 +00:00
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: docker_processes
|
|
|
|
|
descriptions: The docker containers processes that are running on a system.
|
|
|
|
|
query: select * from docker_container_processes;
|
|
|
|
|
support:
|
|
|
|
|
osquery: 2.9.0
|
|
|
|
|
platforms:
|
|
|
|
|
- linux
|
|
|
|
|
- darwin
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: hostname
|
|
|
|
|
query: select hostname from system_info;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: uuid
|
|
|
|
|
query: select uuid from osquery_info;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: instance_id
|
|
|
|
|
query: select instance_id from system_info;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: always_true
|
|
|
|
|
query: select 1;
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: pending_updates
|
|
|
|
|
query: SELECT value from plist where path = "/Library/Preferences/ManagedInstalls.plist" and key = "PendingUpdateCount" and value > "0";
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: slack_not_running
|
|
|
|
|
query: >
|
|
|
|
|
SELECT * from system_info
|
|
|
|
|
WHERE NOT EXISTS (
|
|
|
|
|
SELECT *
|
|
|
|
|
FROM processes
|
|
|
|
|
WHERE name LIKE "%Slack%"
|
|
|
|
|
);
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: centos_hosts
|
|
|
|
|
query: select 1 from os_version where platform = "centos";
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: ubuntu_hosts
|
|
|
|
|
query: select 1 from os_version where platform = "ubuntu";
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: windows_hosts
|
|
|
|
|
query: select 1 from os_version where platform = "windows";
|
|
|
|
|
---
|
2018-05-07 23:50:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: query
|
2017-11-16 04:23:37 +00:00
|
|
|
spec:
|
|
|
|
|
name: darwin_hosts
|
|
|
|
|
query: select 1 from os_version where platform = "darwin";
|
