diff --git a/docs/Contributing/API-for-contributors.md b/docs/Contributing/API-for-contributors.md index 587cf6238..1a4b26550 100644 --- a/docs/Contributing/API-for-contributors.md +++ b/docs/Contributing/API-for-contributors.md @@ -52,9 +52,9 @@ None. { "name": "osquery_schedule", "description": "Report performance stats for each file in the query schedule.", - "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;" + "query": "SELECT name, interval, executions, output_size, wall_time, (user_time/executions) AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory, last_executed FROM osquery_schedule;" } - ] +] } ``` @@ -536,7 +536,7 @@ If the `label_membership_type` is set to `manual`, the `hosts` property must als { "name": "Ubuntu", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "label_membership_type": "dynamic" }, { @@ -576,7 +576,7 @@ None. "id": 6, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", - "query": "select 1;", + "query": "SELECT 1;", "label_type": "builtin", "label_membership_type": "dynamic" }, @@ -584,7 +584,7 @@ None. "id": 7, "name": "macOS", "description": "All macOS hosts", - "query": "select 1 from os_version where platform = 'darwin';", + "query": "SELECT 1 FROM os_version WHERE platform = 'darwin';", "platform": "darwin", "label_type": "builtin", "label_membership_type": "dynamic" @@ -593,7 +593,7 @@ None. "id": 8, "name": "Ubuntu Linux", "description": "All Ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "platform": "ubuntu", "label_type": "builtin", "label_membership_type": "dynamic" @@ -602,7 +602,7 @@ None. "id": 9, "name": "CentOS Linux", "description": "All CentOS hosts", - "query": "select 1 from os_version where platform = 'centos' or name like '%centos%'", + "query": "SELECT 1 FROM os_version WHERE platform = 'centos' OR name LIKE '%centos%'", "label_type": "builtin", "label_membership_type": "dynamic" }, @@ -610,7 +610,7 @@ None. "id": 10, "name": "MS Windows", "description": "All Windows hosts", - "query": "select 1 from os_version where platform = 'windows';", + "query": "SELECT 1 FROM os_version WHERE platform = 'windows';", "platform": "windows", "label_type": "builtin", "label_membership_type": "dynamic" @@ -619,7 +619,7 @@ None. "id": 11, "name": "Ubuntu", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "label_membership_type": "dynamic" } ] @@ -787,7 +787,7 @@ One of `query` and `query_id` must be specified. ```json { - "query": "select instance_id from system_info", + "query": "SELECT instance_id FROM system_info", "selected": { "hosts": [171] } @@ -826,7 +826,7 @@ One of `query` and `query_id` must be specified. ```json { - "query": "select instance_id from system_info;", + "query": "SELECT instance_id FROM system_info;", "selected": { "labels": [7] } @@ -922,7 +922,7 @@ One of `query` and `query_id` must be specified. ```json { - "query": "select instance_id from system_info", + "query": "SELECT instance_id FROM system_info", "selected": { "labels": ["All Hosts"] } diff --git a/docs/Using-Fleet/Adding-hosts.md b/docs/Using-Fleet/Adding-hosts.md index b276104f4..082b686e2 100644 --- a/docs/Using-Fleet/Adding-hosts.md +++ b/docs/Using-Fleet/Adding-hosts.md @@ -225,7 +225,7 @@ On a system with osquery installed via the Fleet osquery installer (Orbit), obta codesign -dr - /opt/orbit/bin/orbit/macos/edge/orbit ``` -The output should be similar or identical to: +The output should be similar or identical to: ``` Executable=/opt/orbit/bin/orbit/macos/edge/orbit @@ -243,7 +243,7 @@ Osqueryd will inherit the privileges from Orbit and does not need explicit permi Depending on your MDM, this might be possible in the UI or require a custom profile. If your MDM has a feature to configure *Policy Preferences*, follow these steps: 1. Configure the identifier type to “path” -2. Paste the full path to Orbit as the identifier. +2. Paste the full path to Orbit as the identifier. 3. Paste the full code signing identifier into the code requirement field. 4. Allow “Access all files”. Access to Downloads, Documents etc is inherited from this. diff --git a/docs/Using-Fleet/REST-API.md b/docs/Using-Fleet/REST-API.md index c183be844..42569cc23 100644 --- a/docs/Using-Fleet/REST-API.md +++ b/docs/Using-Fleet/REST-API.md @@ -2022,7 +2022,7 @@ If the scheduled queries haven't run on the host yet, the stats have zero values "id": 6, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", - "query": "select 1;", + "query": "SELECT 1;", "platform": "", "label_type": "builtin", "label_membership_type": "dynamic" @@ -2033,7 +2033,7 @@ If the scheduled queries haven't run on the host yet, the stats have zero values "id": 9, "name": "CentOS Linux", "description": "All CentOS hosts", - "query": "select 1 from os_version where platform = 'centos' or name like '%centos%'", + "query": "SELECT 1 FROM os_version WHERE platform = 'centos' OR name LIKE '%centos%'", "platform": "", "label_type": "builtin", "label_membership_type": "dynamic" @@ -2057,7 +2057,7 @@ If the scheduled queries haven't run on the host yet, the stats have zero values { "id": 1, "name": "SomeQuery", - "query": "select * from foo;", + "query": "SELECT * FROM foo;", "description": "this is a query", "resolution": "fix with these steps...", "platform": "windows,linux", @@ -2066,7 +2066,7 @@ If the scheduled queries haven't run on the host yet, the stats have zero values { "id": 2, "name": "SomeQuery2", - "query": "select * from bar;", + "query": "SELECT * FROM bar;", "description": "this is another query", "resolution": "fix with these other steps...", "platform": "darwin", @@ -2075,7 +2075,7 @@ If the scheduled queries haven't run on the host yet, the stats have zero values { "id": 3, "name": "SomeQuery3", - "query": "select * from baz;", + "query": "SELECT * FROM baz;", "description": "", "resolution": "", "platform": "", @@ -2600,7 +2600,7 @@ Creates a dynamic label. { "name": "Ubuntu hosts", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "platform": "" } ``` @@ -2617,7 +2617,7 @@ Creates a dynamic label. "id": 1, "name": "Ubuntu hosts", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "label_type": "regular", "label_membership_type": "dynamic", "display_text": "Ubuntu hosts", @@ -2667,7 +2667,7 @@ Modifies the specified label. Note: Label queries and platforms are immutable. T "id": 1, "name": "Ubuntu hosts", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "platform": "darwin", "label_type": "regular", "label_membership_type": "dynamic", @@ -2706,7 +2706,7 @@ Returns the specified label. "id": 12, "name": "Ubuntu", "description": "Filters ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "label_type": "regular", "label_membership_type": "dynamic", "display_text": "Ubuntu", @@ -2747,7 +2747,7 @@ Returns a list of all the labels in Fleet. "id": 6, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", - "query": "select 1;", + "query": "SELECT 1;", "label_type": "builtin", "label_membership_type": "dynamic", "host_count": 7, @@ -2761,7 +2761,7 @@ Returns a list of all the labels in Fleet. "id": 7, "name": "macOS", "description": "All macOS hosts", - "query": "select 1 from os_version where platform = 'darwin';", + "query": "SELECT 1 FROM os_version WHERE platform = 'darwin';", "platform": "darwin", "label_type": "builtin", "label_membership_type": "dynamic", @@ -2776,7 +2776,7 @@ Returns a list of all the labels in Fleet. "id": 8, "name": "Ubuntu Linux", "description": "All Ubuntu hosts", - "query": "select 1 from os_version where platform = 'ubuntu';", + "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';", "platform": "ubuntu", "label_type": "builtin", "label_membership_type": "dynamic", @@ -2791,7 +2791,7 @@ Returns a list of all the labels in Fleet. "id": 9, "name": "CentOS Linux", "description": "All CentOS hosts", - "query": "select 1 from os_version where platform = 'centos' or name like '%centos%'", + "query": "SELECT 1 FROM os_version WHERE platform = 'centos' OR name LIKE '%centos%'", "label_type": "builtin", "label_membership_type": "dynamic", "host_count": 3, @@ -2805,7 +2805,7 @@ Returns a list of all the labels in Fleet. "id": 10, "name": "MS Windows", "description": "All Windows hosts", - "query": "select 1 from os_version where platform = 'windows';", + "query": "SELECT 1 FROM os_version WHERE platform = 'windows';", "platform": "windows", "label_type": "builtin", "label_membership_type": "dynamic", @@ -3246,7 +3246,7 @@ Delete pack by name. "name": "osquery_info", "query_id": 22, "query_name": "osquery_info", - "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;", + "query": "SELECT i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter FROM osquery_info i, processes p, time WHERE p.pid = i.pid;", "interval": 6667, "snapshot": true, "removed": false, @@ -3309,7 +3309,7 @@ Delete pack by name. "name": "osquery_events", "query_id": 23, "query_name": "osquery_events", - "query": "select name, publisher, type, subscriptions, events, active from osquery_events;", + "query": "SELECT name, publisher, type, subscriptions, events, active FROM osquery_events;", "interval": 120, "snapshot": false, "removed": true, @@ -3348,7 +3348,7 @@ Delete pack by name. "name": "osquery_events", "query_id": 23, "query_name": "osquery_events", - "query": "select name, publisher, type, subscriptions, events, active from osquery_events;", + "query": "SELECT name, publisher, type, subscriptions, events, active FROM osquery_events;", "interval": 120, "snapshot": false, "removed": true, @@ -3402,7 +3402,7 @@ Delete pack by name. "name": "osquery_events", "query_id": 23, "query_name": "osquery_events", - "query": "select name, publisher, type, subscriptions, events, active from osquery_events;", + "query": "SELECT name, publisher, type, subscriptions, events, active FROM osquery_events;", "interval": 120, "snapshot": false, "removed": true, @@ -5122,7 +5122,7 @@ The returned lists are filtered based on the hosts the requesting user has acces "id": 6, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", - "query": "select 1;", + "query": "SELECT 1;", "label_type": "builtin", "label_membership_type": "dynamic", "host_count": 5, @@ -5383,8 +5383,8 @@ _Available in Fleet Premium_ }, "decorators": { "load": [ - "select uuid as host_uuid from system_info;", - "select hostname as hostname from system_info;" + "SELECT uuid AS host_uuid FROM system_info;", + "SELECT hostname AS hostname FROM system_info;" ] } }, diff --git a/docs/Using-Fleet/Vulnerability-Processing.md b/docs/Using-Fleet/Vulnerability-Processing.md index 320ee7e82..d73fc5415 100644 --- a/docs/Using-Fleet/Vulnerability-Processing.md +++ b/docs/Using-Fleet/Vulnerability-Processing.md @@ -8,14 +8,14 @@ Vulnerability processing is enabled by default for new installations. -Fleet checks for vulnerabilities using the National Vulnerability Database (NVD). +Fleet checks for vulnerabilities using the National Vulnerability Database (NVD). First, Fleet retrieves the installed software for each host using osquery queries. Then, Fleet translates each installed software into [Common Platform Enumeration (CPE)](https://en.wikipedia.org/wiki/Common_Platform_Enumeration) names. Then, using the CPEs, Fleet searches the list of [Common Vulnerabilities and Exposure (CVE)](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) identifiers listed in the NVD -to detect the CVEs that match the defined CPEs. +to detect the CVEs that match the defined CPEs. If matches are found, they are exposed on each host's **Host details** page and on the **Home** page in the Fleet UI. The CVEs are also exposed in the @@ -81,7 +81,7 @@ https://nvd.nist.gov/products/cpe. This CPE dictionary is typically updated once The matching occurs server-side to make the processing as fast as possible, but the whole process is both CPU and memory intensive. -For example, when running a development instance of Fleet on an Apple Macbook Pro with 16 cores, matching 200,000 CPEs against the CVE database will take around 10 seconds and consume about 3GBs of RAM. +For example, when running a development instance of Fleet on an Apple Macbook Pro with 16 cores, matching 200,000 CPEs against the CVE database will take around 10 seconds and consume about 3GBs of RAM. The CPU and memory usages are in burst once every hour (or the configured periodicity) on the instance that does the processing. RAM spikes are expected to not exceed the 2GBs. @@ -148,10 +148,10 @@ Let's look into some examples of this stage. #### tmux -tmux is a Unix terminal utility to multiplex ttys. It appears listed like this in macOS: +tmux is a Unix terminal utility to multiplex ttys. It appears listed like this in macOS: ``` -osquery> select * from homebrew_packages where name='tmux'; +osquery> SELECT * FROM homebrew_packages WHERE name='tmux'; +------+----------------------------+---------+ | name | path | version | +------+----------------------------+---------+ @@ -188,7 +188,7 @@ This is great for developers, because they don't have to be versed in all the in Linux distributions do security patches. These patches sometimes are old versions of software that is in the list of a long term maintenance distribution versions (sometimes abbreviated as LTS) with a vulnerability fix from a newer version. -In this case, the software developer might release version, say, 2.5, but in Ubuntu version 2.3-ubuntu2 is what's available. This version is not the vulnerable 2.3, but 2.3 with the patch that fixes that security vulnerability. That same fix might be version `2.4-1` in CentOS because that's what happened to be in the LTS version. +In this case, the software developer might release version, say, 2.5, but in Ubuntu version 2.3-ubuntu2 is what's available. This version is not the vulnerable 2.3, but 2.3 with the patch that fixes that security vulnerability. That same fix might be version `2.4-1` in CentOS because that's what happened to be in the LTS version. So Fleet with a pipeline up until the section above would see `some_app-2.4` and mark it as vulnerable. In reality, this is a false positive that needs to be discarded based on the data we parse for the changelogs for each distribution. diff --git a/docs/Using-Fleet/configuration-files/README.md b/docs/Using-Fleet/configuration-files/README.md index 0a6206491..3d5ad754d 100644 --- a/docs/Using-Fleet/configuration-files/README.md +++ b/docs/Using-Fleet/configuration-files/README.md @@ -50,7 +50,7 @@ kind: query spec: name: docker_processes description: The docker containers processes that are running on a system. - query: select * from docker_container_processes; + query: SELECT * FROM docker_container_processes; ``` To define multiple queries in a file, concatenate multiple `query` resources together in a single file with `---`. For example, consider a file that you might store at `queries/osquery_monitoring.yml`: @@ -131,7 +131,7 @@ kind: label spec: name: slack_not_running query: > - SELECT * from system_info + SELECT * FROM system_info WHERE NOT EXISTS ( SELECT * FROM processes @@ -235,8 +235,8 @@ spec: # must take care to keep the data returned by these queries small in # order to mitigate potential performance impacts on the Fleet server. additional_queries: - time: select * from time - macs: select mac from interface_details + time: SELECT * FROM time + macs: SELECT mac FROM interface_details org_info: org_logo_url: "https://example.org/logo.png" org_name: Example Org @@ -389,7 +389,7 @@ spec: darwin: auto_table_construction: tcc_system_entries: - query: "select service, client, allowed, prompt_count, last_modified from access" + query: "SELECT service, client, allowed, prompt_count, last_modified FROM access" path: "/Library/Application Support/com.apple.TCC/TCC.db" columns: - "service" diff --git a/docs/Using-Fleet/fleetctl-CLI.md b/docs/Using-Fleet/fleetctl-CLI.md index 029e996c0..ea060c83c 100644 --- a/docs/Using-Fleet/fleetctl-CLI.md +++ b/docs/Using-Fleet/fleetctl-CLI.md @@ -142,7 +142,7 @@ It's possible to specify the password via the `--password` flag or the `$PASSWOR To run a simple query against all hosts, you might run something like the following: ``` -fleetctl query --query 'select * from osquery_info;' --labels='All Hosts' > results.json +fleetctl query --query 'SELECT * FROM osquery_info;' --labels='All Hosts' > results.json ⠂ 100% responded (100% online) | 1/1 targeted hosts (1/1 online) ^C ``` @@ -248,7 +248,7 @@ apiVersion: v1 kind: query spec: name: processes - query: select * from processes + query: SELECT * FROM processes ``` ## Using fleetctl with an API-only user diff --git a/tools/api/README.md b/tools/api/README.md index d71479522..c5a7aba43 100644 --- a/tools/api/README.md +++ b/tools/api/README.md @@ -43,7 +43,7 @@ export FLEET_ENV_PATH=/Users/victor/fleet_env 2 # create a query -./tools/api/fleet/queries/create 'system_info' 'select * from system_info;' +./tools/api/fleet/queries/create 'system_info' 'SELECT * FROM system_info;' { "query": { "created_at": "0001-01-01T00:00:00Z", @@ -51,7 +51,7 @@ export FLEET_ENV_PATH=/Users/victor/fleet_env "id": 4, "name": "system_info", "description": "", - "query": "select * from system_info;", + "query": "SELECT * FROM system_info;", "saved": true, "author_id": 1, "author_name": "admin",