empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
008a093130
fleet/website/.sailsrc
eashaw 404ae820c9
Documentation image updates (#2071) 
* remove hardcoded width on images

* fix inconsistent image padding on fleet ui docs page

* Broken link fix

Fixed a couple of broken links to help this PR pass the automated tests.

Co-authored-by: Mike Thomas <mthomas@fleetdm.com>
2021-09-15 11:19:21 +09:00

1002 lines
41 KiB
Plaintext
Vendored
Raw Blame History

{
"generators": {
"modules": {}
},
"_generatedWith": {
"sails": "1.2.5",
"sails-generate": "2.0.0"
},
"builtStaticContent": {
"markdownPages": [
{
"url": "/docs",
"title": "Readme.md",
"lastModifiedAt": 1624049901000,
"htmlId": "docs--readme--9f534d32b2",
"meta": {}
},
{
"url": "/docs/using-fleet/learn-how-to-use-fleet",
"title": "Learn how to use Fleet",
"lastModifiedAt": 1631573400000,
"htmlId": "docs--0-learn-how-to-use-f--1b80658ae8",
"meta": {}
},
{
"url": "/docs/using-fleet/fleet-ui",
"title": "Fleet UI",
"lastModifiedAt": 1631640519000,
"htmlId": "docs--1-fleet-ui--ed954948be",
"meta": {}
},
{
"url": "/docs/using-fleet/teams",
"title": "Teams",
"lastModifiedAt": 1629395421000,
"htmlId": "docs--10-teams--782f2af710",
"meta": {}
},
{
"url": "/docs/using-fleet/usage-statistics",
"title": "Usage statistics",
"lastModifiedAt": 1624989594000,
"htmlId": "docs--11-usage-statistics--3ed9f3101b",
"meta": {}
},
{
"url": "/docs/using-fleet/supported-browsers",
"title": "Supported browsers",
"lastModifiedAt": 1630452786000,
"htmlId": "docs--12-supported-browser--6f8b591603",
"meta": {}
},
{
"url": "/docs/using-fleet/vulnerability-processing",
"title": "Vulnerability processing",
"lastModifiedAt": 1629761820000,
"htmlId": "docs--13-vulnerability-pro--edb754352c",
"meta": {}
},
{
"url": "/docs/using-fleet/fleetctl-cli",
"title": "Fleetctl CLI",
"lastModifiedAt": 1631040955000,
"htmlId": "docs--2-fleetctl-cli--b4a4f6b08c",
"meta": {}
},
{
"url": "/docs/using-fleet/rest-api",
"title": "REST API",
"lastModifiedAt": 1631555916000,
"htmlId": "docs--3-rest-api--0370e3eaff",
"meta": {}
},
{
"url": "/docs/using-fleet/adding-hosts",
"title": "Adding hosts",
"lastModifiedAt": 1625588060000,
"htmlId": "docs--4-adding-hosts--f25bc11364",
"meta": {}
},
{
"url": "/docs/using-fleet/osquery-logs",
"title": "Osquery logs",
"lastModifiedAt": 1624631015000,
"htmlId": "docs--5-osquery-logs--b2e649cc1f",
"meta": {}
},
{
"url": "/docs/using-fleet/monitoring-fleet",
"title": "Monitoring Fleet",
"lastModifiedAt": 1630357234000,
"htmlId": "docs--6-monitoring-fleet--b1fa6e4a69",
"meta": {}
},
{
"url": "/docs/using-fleet/security-best-practices",
"title": "Security best practices",
"lastModifiedAt": 1624893322000,
"htmlId": "docs--7-security-best-prac--ad931bb00b",
"meta": {}
},
{
"url": "/docs/using-fleet/updating-fleet",
"title": "Updating Fleet",
"lastModifiedAt": 1630641746000,
"htmlId": "docs--8-updating-fleet--1887128e93",
"meta": {}
},
{
"url": "/docs/using-fleet/permissions",
"title": "Permissions",
"lastModifiedAt": 1630415095000,
"htmlId": "docs--9-permissions--905e9c08da",
"meta": {}
},
{
"url": "/docs/using-fleet/faq",
"title": "FAQ",
"lastModifiedAt": 1627511403000,
"htmlId": "docs--faq--f96c7228ae",
"meta": {}
},
{
"url": "/docs/using-fleet",
"title": "Using Fleet",
"lastModifiedAt": 1626938622000,
"htmlId": "docs--readme--b097d08746",
"meta": {}
},
{
"url": "/docs/deploying/installation",
"title": "Installation",
"lastModifiedAt": 1625173055000,
"htmlId": "docs--1-installation--fe7d4e2e74",
"meta": {}
},
{
"url": "/docs/deploying/example-deployment-scenarios",
"title": "Example deployment scenarios",
"lastModifiedAt": 1625588060000,
"htmlId": "docs--3-example-deployment--b850738ae0",
"meta": {}
},
{
"url": "/docs/deploying/configuration",
"title": "Configuration",
"lastModifiedAt": 1631134512000,
"htmlId": "docs--2-configuration--a242085fa7",
"meta": {}
},
{
"url": "/docs/deploying/fleetctl-agent-updates",
"title": "Fleetctl agent updates",
"lastModifiedAt": 1631165652000,
"htmlId": "docs--4-fleetctl-agent-upd--f6d6a601d4",
"meta": {}
},
{
"url": "/docs/deploying/faq",
"title": "FAQ",
"lastModifiedAt": 1627511403000,
"htmlId": "docs--faq--7abb678d36",
"meta": {}
},
{
"url": "/docs/deploying",
"title": "Deploying",
"lastModifiedAt": 1624893322000,
"htmlId": "docs--readme--a0a26f55e2",
"meta": {}
},
{
"url": "/docs/contributing/building-fleet",
"title": "Building Fleet",
"lastModifiedAt": 1629140343000,
"htmlId": "docs--1-building-fleet--a0d05ce171",
"meta": {}
},
{
"url": "/docs/contributing/testing",
"title": "Testing",
"lastModifiedAt": 1630685123000,
"htmlId": "docs--2-testing--20bd58879c",
"meta": {}
},
{
"url": "/docs/contributing/migrations",
"title": "Migrations",
"lastModifiedAt": 1629743194000,
"htmlId": "docs--3-migrations--ee672f0676",
"meta": {}
},
{
"url": "/docs/contributing/committing-changes",
"title": "Committing changes",
"lastModifiedAt": 1629140343000,
"htmlId": "docs--4-committing-changes--62d8075df1",
"meta": {}
},
{
"url": "/docs/contributing/releasing-fleet",
"title": "Releasing Fleet",
"lastModifiedAt": 1629929664000,
"htmlId": "docs--5-releasing-fleet--2b2a696ea0",
"meta": {}
},
{
"url": "/docs/contributing/faq",
"title": "FAQ",
"lastModifiedAt": 1624893322000,
"htmlId": "docs--faq--92e0006bf2",
"meta": {}
},
{
"url": "/docs/contributing",
"title": "Contributing",
"lastModifiedAt": 1624893322000,
"htmlId": "docs--readme--d5e4f68946",
"meta": {}
},
{
"url": "/docs/using-fleet/configuration-files",
"title": "Configuration files",
"lastModifiedAt": 1631296113000,
"htmlId": "docs--readme--7908cef8a3",
"meta": {}
},
{
"url": "/docs/using-fleet/standard-query-library",
"title": "Standard query library",
"lastModifiedAt": 1624049901000,
"htmlId": "docs--readme--d3c7d96146",
"meta": {}
}
],
"queries": [
{
"name": "Count Apple applications installed",
"platforms": "macOS",
"description": "Count the number of Apple applications installed on the machine.",
"query": "SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%';",
"purpose": "Informational",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
},
{
"name": null,
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
},
{
"name": "Mike McNeil",
"handle": "mikermcneil",
"avatarUrl": "https://avatars.githubusercontent.com/u/618009?v=4",
"htmlUrl": "https://github.com/mikermcneil"
}
],
"slug": "count-apple-applications-installed",
"remediation": "N/A"
},
{
"name": "Detect Linux hosts with high severity vulnerable versions of OpenSSL",
"platforms": "Linux",
"description": "Retrieves the OpenSSL version.",
"query": "SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';",
"purpose": "Detection",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "detect-linux-hosts-with-high-severity-vulnerable-versions-of-open-ssl",
"remediation": "N/A"
},
{
"name": "Detect machines with Gatekeeper disabled",
"platforms": "macOS",
"description": "Gatekeeper tries to ensure only trusted software is run on a mac machine.",
"query": "SELECT * FROM gatekeeper WHERE assessments_enabled = 0;",
"purpose": "Detection",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "detect-machines-with-gatekeeper-disabled",
"remediation": "N/A"
},
{
"name": "Detect presence of authorized SSH keys",
"platforms": "macOS, Linux",
"description": "Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.",
"query": "SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Detection",
"remediation": "Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
}
],
"slug": "detect-presence-of-authorized-ssh-keys"
},
{
"name": "Get authorized keys for Local Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-authorized-keys-for-local-accounts",
"remediation": "N/A"
},
{
"name": "Get authorized keys for Domain Joined Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-authorized-keys-for-domain-joined-accounts",
"remediation": "N/A"
},
{
"name": "Get crashes",
"platforms": "macOS",
"description": "Retrieve application, system, and mobile app crash logs.",
"query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-crashes",
"remediation": "N/A"
},
{
"name": "Get installed Chrome Extensions",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "List installed Chrome Extensions for all users.",
"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-chrome-extensions",
"remediation": "N/A"
},
{
"name": "Get installed FreeBSD software",
"platforms": "FreeBSD",
"description": "Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-free-bsd-software",
"remediation": "N/A"
},
{
"name": "Get Homebrew Packages",
"platforms": "macOS",
"description": "Get the installed homebrew package database.",
"query": "SELECT * FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-homebrew-packages",
"remediation": "N/A"
},
{
"name": "Get installed Linux software",
"platforms": "Linux",
"description": "Get all software installed on a Linux computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-linux-software",
"remediation": "N/A"
},
{
"name": "Get installed macOS software",
"platforms": "macOS",
"description": "Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-mac-os-software",
"remediation": "N/A"
},
{
"name": "Get installed Safari extensions",
"platforms": "macOS",
"description": "Retrieves the list of installed Safari Extensions for all users in the target system.",
"query": "SELECT safari_extensions.* FROM users join safari_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-safari-extensions",
"remediation": "N/A"
},
{
"name": "Get installed Windows software",
"platforms": "Windows",
"description": "Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-windows-software",
"remediation": "N/A"
},
{
"name": "Get laptops with failing batteries",
"platforms": "macOS",
"description": null,
"query": "SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-laptops-with-failing-batteries",
"remediation": "N/A"
},
{
"name": "Get macOS disk free space percentage",
"platforms": "macOS",
"description": "Displays the percentage of free space available on the primary disk partition.",
"query": "SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/';",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-mac-os-disk-free-space-percentage",
"remediation": "N/A"
},
{
"name": "Get mounts",
"platforms": "macOS, Linux",
"description": "Shows system mounted devices and filesystems (not process specific).",
"query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-mounts",
"remediation": "N/A"
},
{
"name": "Get the version of the resident operating system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows system mounted devices and filesystems (not process specific).",
"query": "SELECT * FROM os_version;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-the-version-of-the-resident-operating-system",
"remediation": "N/A"
},
{
"name": "Get platform info",
"platforms": "macOS",
"description": "Shows information about the host platform",
"query": "SELECT vendor, version, date, revision from platform_info;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-platform-info",
"remediation": "N/A"
},
{
"name": "Get startup items",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows applications and binaries set as user/login startup items.",
"query": "SELECT * FROM startup_items;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-startup-items",
"remediation": "N/A"
},
{
"name": "Get system logins and logouts",
"platforms": "macOS",
"description": "Get a list of system logins and logouts.",
"query": "SELECT * FROM last;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-system-logins-and-logouts",
"remediation": "N/A"
},
{
"name": "Get current users with active shell/console on the system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Get current users with active shell/console on the system and associated process",
"query": "SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-current-users-with-active-shell-console-on-the-system",
"remediation": "N/A"
},
{
"name": "Get system uptime",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows the system uptime.",
"query": "SELECT * FROM uptime;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-system-uptime",
"remediation": "N/A"
},
{
"name": "Get USB devices",
"platforms": "macOS, Linux",
"description": "Shows all USB devices that are actively plugged into the host system.",
"query": "SELECT * FROM usb_devices;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-usb-devices",
"remediation": "N/A"
},
{
"name": "Get wifi status",
"platforms": "macOS",
"description": "Shows information about the wifi network that a host is currently connected to.",
"query": "SELECT * FROM wifi_status;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-wifi-status",
"remediation": "N/A"
},
{
"name": "Get Windows machines with unencrypted hard disks",
"platforms": "Windows",
"description": null,
"query": "SELECT * FROM bitlocker_info WHERE protection_status = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-windows-machines-with-unencrypted-hard-disks",
"remediation": "N/A"
},
{
"name": "Get disk encryption status",
"platforms": "macOS, Linux",
"description": "Disk encryption status and information.",
"query": "SELECT * FROM disk_encryption;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-disk-encryption-status",
"remediation": "N/A"
},
{
"name": "Detect unencrypted SSH keys for local accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;",
"purpose": "Detection",
"remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-unencrypted-ssh-keys-for-local-accounts"
},
{
"name": "Detect unencrypted SSH keys for domain joined accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);",
"purpose": "Detection",
"remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-unencrypted-ssh-keys-for-domain-joined-accounts"
},
{
"name": "Get crontab jobs",
"platforms": "macOS, Linux",
"description": "Line parsed values from system and user cron/tab.",
"query": "SELECT * FROM crontab;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-crontab-jobs",
"remediation": "N/A"
},
{
"name": "Get suid binaries",
"platforms": "macOS, Linux",
"description": "suid binaries in common locations.",
"query": "SELECT * FROM suid_bin;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-suid-binaries",
"remediation": "N/A"
},
{
"name": "Detect dynamic linker hijacking on Linux (MITRE. T1574.006)",
"platforms": "Linux",
"description": "Detect any processes that run with LD_PRELOAD environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';",
"purpose": "Detection",
"remediation": "Identify the process/binary detected and confirm with the system's owner.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-dynamic-linker-hijacking-on-linux-mitre-t-1574-006"
},
{
"name": "Detect dynamic linker hijacking on macOS (MITRE. T1574.006)",
"platforms": "macOS",
"description": "Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';",
"purpose": "Detection",
"remediation": "Identify the process/binary detected and confirm with the system's owner.",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-dynamic-linker-hijacking-on-mac-os-mitre-t-1574-006"
},
{
"name": "Get etc hosts entries",
"platforms": "macOS, Linux",
"description": "Line-parsed /etc/hosts",
"query": "SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-etc-hosts-entries",
"remediation": "N/A"
},
{
"name": "Get network interfaces",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Network interfaces MAC address",
"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-network-interfaces",
"remediation": "N/A"
},
{
"name": "Get local user accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Local user accounts (including domain accounts that have logged on locally (Windows)).",
"query": "SELECT uid, gid, username, description,directory, shell FROM users;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-local-user-accounts",
"remediation": "N/A"
},
{
"name": "Detect active user accounts on servers",
"platforms": "Linux",
"description": "Domain Joined environment normally have root or other service account only and users are SSH-ing using their Domain Accounts.",
"query": "SELECT * FROM shadow WHERE password_status='active' and username!='root';",
"purpose": "Detection",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-active-user-accounts-on-servers",
"remediation": "N/A"
},
{
"name": "Detect Nmap scanner",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Detect Nmap scanner process, identify the user, parent, process details.",
"query": "SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';",
"purpose": "Detection",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "detect-nmap-scanner",
"remediation": "N/A"
},
{
"name": "Get docker images on a system",
"platforms": "macOS, Linux",
"description": "Docker images information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_images;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-images-on-a-system",
"remediation": "N/A"
},
{
"name": "Get docker running containers on a system",
"platforms": "macOS, Linux",
"description": "Docker containers information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_containers;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-running-containers-on-a-system",
"remediation": "N/A"
},
{
"name": "Get docker running process on a system",
"platforms": "macOS, Linux",
"description": "Docker containers Processes, can be used on normal system or a kubenode.",
"query": "SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-running-process-on-a-system",
"remediation": "N/A"
},
{
"name": "Detect Windows print spooler remote code execution vulnerability",
"platforms": "Windows",
"description": "Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.",
"query": "SELECT CASE cnt WHEN 2 THEN \"TRUE\" ELSE \"FALSE\" END \"Vulnerable\" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;",
"purpose": "Detection",
"contributors": [
{
"name": null,
"handle": "maravedi",
"avatarUrl": "https://avatars.githubusercontent.com/u/9169890?v=4",
"htmlUrl": "https://github.com/maravedi"
}
],
"slug": "detect-windows-print-spooler-remote-code-execution-vulnerability",
"remediation": "N/A"
},
{
"name": "Get local users and their privileges",
"platforms": "macOS, Linux, Windows",
"description": "Collects the local user accounts and their respective user group.",
"query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
"purpose": "Informational",
"contributors": [
{
"name": null,
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
}
],
"slug": "get-local-users-and-their-privileges",
"remediation": "N/A"
},
{
"name": "Find deleted files from disk",
"platforms": "Linux, macOS, Windows",
"description": "Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.",
"query": "SELECT name, path, pid FROM processes WHERE on_disk = 0;",
"purpose": "Incident response",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "find-deleted-files-from-disk",
"remediation": "N/A"
}
],
"queryLibraryYmlRepoPath": "docs/1-Using-Fleet/standard-query-library/standard-query-library.yml",
"compiledPagePartialsAppPath": "views/partials/built-from-markdown"
}
}
Reference in New Issue View Git Blame Copy Permalink