mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
181 lines
8.3 KiB
Plaintext
181 lines
8.3 KiB
Plaintext
#osquery 5.5.1
|
|
|
|
account_policy_data SELECT * users join account_policy_data using (uid)
|
|
acpi_tables SELECT * FROM acpi_tables
|
|
ad_config SELECT * FROM ad_config
|
|
alf SELECT * FROM alf
|
|
alf_exceptions SELECT * FROM alf_exceptions
|
|
alf_explicit_auths SELECT * FROM alf_explicit_auths
|
|
app_schemes SELECT * FROM app_schemes
|
|
apps SELECT * FROM apps
|
|
arp_cache SELECT * FROM arp_cache
|
|
asl SELECT * FROM asl
|
|
augeas SELECT * from augeas where path = '/etc/hosts'
|
|
authorization_mechanisms SELECT * FROM authorization_mechanisms
|
|
authorizations SELECT * FROM authorizations
|
|
authorized_keys SELECT * from users join authorized_keys using (uid)
|
|
azure_instance_metadata SELECT * FROM azure_instance_metadata
|
|
azure_instance_tags SELECT * FROM azure_instance_tags
|
|
battery SELECT * FROM battery
|
|
block_devices SELECT * FROM block_devices
|
|
browser_plugins SELECT * FROM browser_plugins
|
|
carbon_black_info SELECT * FROM carbon_black_info
|
|
carves SELECT * FROM carves
|
|
certificates SELECT * FROM certificates
|
|
chrome_extension_content_scripts SELECT * FROM chrome_extension_content_scripts
|
|
chrome_extensions SELECT * FROM chrome_extensions
|
|
cpu_time SELECT * FROM cpu_time
|
|
cpuid SELECT * FROM cpuid
|
|
crashes SELECT * FROM users JOIN crashes USING (uid)
|
|
crontab SELECT * FROM crontab
|
|
cups_destinations SELECT * FROM cups_destinations
|
|
cups_jobs SELECT * FROM cups_jobs
|
|
curl select url, round_trip_time, response_code from curl where url = 'https://github.com/osquery/osquery'
|
|
curl_certificate SELECT * from curl_certificate where hostname = 'osquery.io'
|
|
device_file SELECT * FROM device_file
|
|
device_firmware SELECT * FROM device_firmware
|
|
device_hash SELECT * FROM device_hash
|
|
device_partitions SELECT * FROM device_partitions
|
|
disk_encryption SELECT * FROM disk_encryption
|
|
disk_events SELECT * FROM disk_events
|
|
dns_resolvers SELECT * FROM dns_resolvers
|
|
docker_container_envs SELECT * FROM docker_container_envs
|
|
docker_container_fs_changes SELECT * FROM docker_container_fs_changes where id = '<id>'
|
|
docker_container_labels SELECT * FROM docker_container_labels
|
|
docker_container_mounts SELECT * FROM docker_container_mounts
|
|
docker_container_networks SELECT * FROM docker_container_networks
|
|
docker_container_ports SELECT * FROM docker_container_ports
|
|
docker_container_processes SELECT * FROM docker_container_processes where id = '<id>'
|
|
docker_container_stats SELECT * FROM docker_container_stats where id = '<id>'
|
|
docker_containers SELECT * FROM docker_containers
|
|
docker_image_history SELECT * FROM docker_image_history
|
|
docker_image_labels SELECT * FROM docker_image_labels
|
|
docker_image_layers SELECT * FROM docker_image_layers
|
|
docker_images SELECT * FROM docker_images
|
|
docker_info SELECT * FROM docker_info
|
|
docker_network_labels SELECT * FROM docker_network_labels
|
|
docker_networks SELECT * FROM docker_networks
|
|
docker_version SELECT * FROM docker_version
|
|
docker_volume_labels SELECT * FROM docker_volume_labels
|
|
docker_volumes SELECT * FROM docker_volumes
|
|
ec2_instance_metadata SELECT * FROM ec2_instance_metadata
|
|
ec2_instance_tags SELECT * FROM ec2_instance_tags
|
|
es_process_events SELECT * FROM es_process_events
|
|
es_process_file_events SELECT * FROM es_process_file_events
|
|
etc_hosts SELECT * FROM etc_hosts
|
|
etc_protocols SELECT * FROM etc_protocols
|
|
etc_services SELECT * FROM etc_services
|
|
event_taps SELECT * FROM event_taps
|
|
extended_attributes select * from extended_attributes where directory = '/tmp/';
|
|
fan_speed_sensors SELECT * FROM fan_speed_sensors
|
|
file select * from file where directory = '/etc/'
|
|
file_events SELECT * FROM file_events
|
|
firefox_addons SELECT * FROM firefox_addons
|
|
gatekeeper SELECT * FROM gatekeeper
|
|
gatekeeper_approved_apps SELECT * FROM gatekeeper_approved_apps
|
|
groups SELECT * FROM groups
|
|
hardware_events SELECT * FROM hardware_events
|
|
hash select * from hash where directory = '/etc/'
|
|
homebrew_packages SELECT * FROM homebrew_packages
|
|
ibridge_info SELECT * FROM ibridge_info
|
|
interface_addresses SELECT * FROM interface_addresses
|
|
interface_details SELECT * FROM interface_details
|
|
interface_ipv6 SELECT * FROM interface_ipv6
|
|
iokit_devicetree SELECT * FROM iokit_devicetree
|
|
iokit_registry SELECT * FROM iokit_registry
|
|
kernel_extensions SELECT * FROM kernel_extensions
|
|
kernel_info SELECT * FROM kernel_info
|
|
kernel_panics SELECT * FROM kernel_panics
|
|
keychain_acls SELECT * FROM keychain_acls
|
|
keychain_items SELECT * FROM keychain_items
|
|
known_hosts SELECT * FROM known_hosts
|
|
last SELECT * FROM last
|
|
launchd SELECT * FROM launchd
|
|
launchd_overrides SELECT * FROM launchd_overrides
|
|
listening_ports SELECT * FROM listening_ports
|
|
load_average SELECT * FROM load_average
|
|
location_services SELECT * FROM location_services
|
|
logged_in_users SELECT * FROM logged_in_users
|
|
magic SELECT * FROM magic where path = '/var/db/receipts/com.apple.pkg.Numbers11.bom';
|
|
managed_policies SELECT * FROM managed_policies
|
|
mdfind SELECT count(*) from mdfind where query = 'kMDItemTextContent == \"osquery\"'
|
|
mdls select * from mdls where path = '/Library/Preferences/com.apple.apsd.plist'
|
|
memory_array_mapped_addresses SELECT * FROM memory_array_mapped_addresses
|
|
memory_arrays SELECT * FROM memory_arrays
|
|
memory_device_mapped_addresses SELECT * FROM memory_device_mapped_addresses
|
|
memory_devices SELECT * FROM memory_devices
|
|
memory_error_info SELECT * FROM memory_error_info
|
|
mounts SELECT * FROM mounts
|
|
nfs_shares SELECT * FROM nfs_shares
|
|
npm_packages SELECT * FROM npm_packages
|
|
nvram SELECT * FROM nvram
|
|
oem_strings SELECT * FROM oem_strings
|
|
os_version SELECT * FROM os_version
|
|
osquery_events SELECT * FROM osquery_events
|
|
osquery_extensions SELECT * FROM osquery_extensions
|
|
osquery_flags SELECT * FROM osquery_flags
|
|
osquery_info SELECT * FROM osquery_info
|
|
osquery_packs SELECT * FROM osquery_packs
|
|
osquery_registry SELECT * FROM osquery_registry
|
|
osquery_schedule SELECT * FROM osquery_schedule
|
|
package_bom SELECT * from package_bom where path = '/var/db/receipts/com.apple.pkg.Numbers11.bom'
|
|
package_install_history SELECT * FROM package_install_history
|
|
package_receipts SELECT * FROM package_receipts
|
|
password_policy SELECT * FROM password_policy
|
|
pci_devices SELECT * FROM pci_devices
|
|
platform_info SELECT * FROM platform_info
|
|
plist SELECT * from plist where path = '/Library/Preferences/com.apple.apsd.plist'
|
|
power_sensors SELECT * FROM power_sensors
|
|
preferences SELECT * FROM preferences
|
|
process_envs SELECT * FROM process_envs
|
|
process_events SELECT * FROM process_events
|
|
process_memory_map SELECT * FROM process_memory_map
|
|
process_open_files SELECT * FROM process_open_files
|
|
process_open_sockets SELECT * FROM process_open_sockets
|
|
processes SELECT * FROM processes
|
|
prometheus_metrics SELECT * FROM prometheus_metrics
|
|
python_packages SELECT * FROM python_packages
|
|
quicklook_cache SELECT * FROM quicklook_cache
|
|
routes SELECT * FROM routes
|
|
running_apps SELECT * FROM running_apps
|
|
safari_extensions SELECT * FROM safari_extensions
|
|
sandboxes SELECT * FROM sandboxes
|
|
screenlock SELECT * FROM screenlock
|
|
shared_folders SELECT * FROM shared_folders
|
|
sharing_preferences SELECT * FROM sharing_preferences
|
|
shell_history SELECT * FROM shell_history
|
|
signature SELECT * FROM signature WHERE path = '/bin/ls'
|
|
sip_config SELECT * FROM sip_config
|
|
smbios_tables SELECT * FROM smbios_tables
|
|
smc_keys SELECT * FROM smc_keys
|
|
socket_events SELECT * FROM socket_events
|
|
ssh_configs SELECT * FROM ssh_configs
|
|
startup_items SELECT * FROM startup_items
|
|
sudoers SELECT * FROM sudoers
|
|
suid_bin SELECT * FROM suid_bin
|
|
system_controls SELECT * FROM system_controls
|
|
system_extensions SELECT * FROM system_extensions
|
|
system_info SELECT * FROM system_info
|
|
temperature_sensors SELECT * FROM temperature_sensors
|
|
time SELECT * FROM time
|
|
time_machine_backups SELECT * FROM time_machine_backups
|
|
time_machine_destinations SELECT * FROM time_machine_destinations
|
|
ulimit_info SELECT * FROM ulimit_info
|
|
unified_log NEW SELECT * FROM unified_log NEW
|
|
uptime SELECT * FROM uptime
|
|
usb_devices SELECT * FROM usb_devices
|
|
user_events SELECT * FROM user_events
|
|
user_groups SELECT * FROM user_groups
|
|
user_interaction_events SELECT * FROM user_interaction_events
|
|
user_ssh_keys select * from users join user_ssh_keys using (uid)
|
|
users SELECT * FROM users
|
|
virtual_memory_info SELECT * FROM virtual_memory_info
|
|
wifi_networks SELECT * FROM wifi_networks
|
|
wifi_status SELECT * FROM wifi_status
|
|
wifi_survey SELECT * FROM wifi_survey
|
|
xprotect_entries SELECT * FROM xprotect_entries
|
|
xprotect_meta SELECT * FROM xprotect_meta
|
|
xprotect_reports SELECT * FROM xprotect_reports
|
|
yara SELECT * FROM yara
|
|
yara_events SELECT * FROM yara_events
|
|
ycloud_instance_metadata SELECT * FROM ycloud_instance_metadata |