empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6a437aaa35
fleet/tools/osquery-testing/README.md
Reed Haynes a94d697ce4
updated osquery testing files (#8940) 
Co-authored-by: Reed Haynes <reed@fleetdm.com>
2022-12-08 13:28:36 -08:00

74 lines
2.2 KiB
Markdown
Raw Blame History

## Tools for testing osquery
### Testing queries
Use [test-tables.sh](./test-tables.sh) to run an entire set of queries, outputting the results. This script will automatically read the queries from the input path provided (see [queries.txt](./queries.txt) for an example), and output results to stdout. It is likely useful to pipe the output to a text file, as in:
```sh
./test-tables.sh queries.txt > results.txt
```
OS tailored query tables are named:
- macOS.txt
- windows.txt
- linux.txt
The following flags should be set in the Fleet agent options before running the test tables:
```
Options:
file_paths:
foo:
- /tmp/%%
yara:
file_paths:
system_binaries:
- sig_group_1
tmp:
- sig_group_1
- sig_group_2
signatures:
sig_group_1:
- /tmp/foo.sig
- /tmp/bar.sig
sig_group_2:
- /Users/wxs/sigs/baz.sig
command_line_flags:
disable_audit: false
disable_events: false
audit_allow_config: true
enable_file_events: true
audit_allow_user_events: true
audit_allow_process_events: true
enable_keyboard_events: true
enable_mouse_events: true
```
Additional Setup:
- carves: A file must be placed at /tmp/carve.txt
- crashes: User should manually crash a benign process with the following command from a terminal:
`kill -3 <pid>`
- crontab: User will need to make a cronjob if none exist. A simple cronjob can be made with the
`crontab -e` command and saving the following: `0 10 * * * /usr/bin/curl -s http://stackoverflow.com > ~/stackoverflow.html`
- hardware_events: A usb device will need to be plugged into the machine **after** the events tables
have been enabled.
- kernel_panics: Place a kernel panic report in `/Library/Logs/DiagnosticReports. An example can be
found in the artifacts folder. More reports can be found at https://github.com/osquery/osquery/pull/7585
- user_events: Allow remote login via system settings; ssh into local machine
- system_extensions: Download an extension from https://opalcamera.com if no extension exists on the device.
Flakey Tests:
- Not working on arm based macs:
- ibridge_info
- memory_device_mapped_addresses
- memory_error_info
- quicklook_cache
- startup_items
- device_file
- device_hash
- device_partitions
Reference in New Issue View Git Blame Copy Permalink