fleet/handbook/queries/README.md

Standard query library

Fleet's standard query library includes a growing collection of useful queries for organizations deploying Fleet and osquery.

Queries

• Detect machines with gatekeeper disabled (macOS)
• Detect presence of authorized SSH keys (macOS, Linux)
• Detect hosts with the firewall disabled (macOS)
• Detect Linux hosts with high severity vulnerable versions of OpenSSL (Linux)
• Get installed Chrome extensions (macOS, Linux, Windows, FreeBSD)
• Get installed FreeBSD software (FreeBSD)
• Get installed Homebrew packages (macOS)
• Get installed Linux software (Linux)
• Get installed macOS software (macOS)
• Get installed Safari extensions (macOS)
• Get installed Windows software (Windows)
• Get laptops with failing batteries (macOS)
• Get macOS disk free space percentage (macOS)
• Get System Logins and Logouts (macOS)
• Get wifi status (macOS)
• Get Windows machines with unencrypted hard disks (Windows)
• Get platform info (macOS)
• Get USB devices (macOS, Linux)
• Count Apple applications installed (macOS)
• Get authorized keys (macOS, Linux)
• Get OS version (macOS, Linux, Windows, FreeBSD)
• Get mounts (macOS, Linux)
• Get startup items (macOS, Linux, Windows, FreeBSD)
• Get system uptime (macOS, Linux, Windows, FreeBSD)
• Get crashes (macOS)

Additional resources

Listed below are great resources that contain additional queries.

• Osquery (https://github.com/osquery/osquery/tree/master/packs)
• Palantir osquery configuration (https://github.com/palantir/osquery-configuration/tree/master/Fleet)