empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fe67b0486b
fleet/website/.sailsrc
eashaw 470889ba3a
Update code blocks in documentation (#2151) 
* updated css to be compatible with Chrome 87 and earlier

* fixed JSON syntax code blocks, remove empty response data

* Update code-blocks.less

* fix broken links
2021-09-20 20:59:45 -05:00

1127 lines
47 KiB
Plaintext
Vendored
Raw Blame History

{
"generators": {
"modules": {}
},
"_generatedWith": {
"sails": "1.2.5",
"sails-generate": "2.0.0"
},
"builtStaticContent": {
"markdownPages": [
{
"url": "/docs",
"title": "Readme.md",
"lastModifiedAt": 1624049901000,
"htmlId": "docs--readme--27004f4448",
"sectionRelativeRepoPath": "README.md",
"meta": {}
},
{
"url": "/docs/deploying/installation",
"title": "Installation",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--01-installation--c1f7b7262d",
"sectionRelativeRepoPath": "02-Deploying/01-Installation.md",
"meta": {}
},
{
"url": "/docs/deploying/configuration",
"title": "Configuration",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--02-configuration--25bb47a163",
"sectionRelativeRepoPath": "02-Deploying/02-Configuration.md",
"meta": {}
},
{
"url": "/docs/deploying/example-deployment-scenarios",
"title": "Example deployment scenarios",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--03-example-deploymen--1d32b988ab",
"sectionRelativeRepoPath": "02-Deploying/03-Example-deployment-scenarios.md",
"meta": {}
},
{
"url": "/docs/deploying/fleetctl-agent-updates",
"title": "Fleetctl agent updates",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--04-fleetctl-agent-up--92c6890fa9",
"sectionRelativeRepoPath": "02-Deploying/04-fleetctl-agent-updates.md",
"meta": {}
},
{
"url": "/docs/deploying/faq",
"title": "FAQ",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--faq--3ad91393ce",
"sectionRelativeRepoPath": "02-Deploying/FAQ.md",
"meta": {}
},
{
"url": "/docs/deploying",
"title": "Deploying",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--readme--fb635b427f",
"sectionRelativeRepoPath": "02-Deploying/README.md",
"meta": {}
},
{
"url": "/docs/contributing/building-fleet",
"title": "Building Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--01-building-fleet--abcea456d8",
"sectionRelativeRepoPath": "03-Contributing/01-Building-Fleet.md",
"meta": {}
},
{
"url": "/docs/contributing/testing",
"title": "Testing",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--02-testing--2f307719a6",
"sectionRelativeRepoPath": "03-Contributing/02-Testing.md",
"meta": {}
},
{
"url": "/docs/contributing/migrations",
"title": "Migrations",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--03-migrations--b553b6254f",
"sectionRelativeRepoPath": "03-Contributing/03-Migrations.md",
"meta": {}
},
{
"url": "/docs/contributing/committing-changes",
"title": "Committing changes",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--04-committing-change--9b92fdc560",
"sectionRelativeRepoPath": "03-Contributing/04-Committing-Changes.md",
"meta": {}
},
{
"url": "/docs/contributing/releasing-fleet",
"title": "Releasing Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--05-releasing-fleet--1f39f77c64",
"sectionRelativeRepoPath": "03-Contributing/05-Releasing-Fleet.md",
"meta": {}
},
{
"url": "/docs/contributing/seeding-data",
"title": "Seeding data",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--06-seeding-data--af5ac86a99",
"sectionRelativeRepoPath": "03-Contributing/06-Seeding-Data.md",
"meta": {}
},
{
"url": "/docs/contributing/faq",
"title": "FAQ",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--faq--1b33e57806",
"sectionRelativeRepoPath": "03-Contributing/FAQ.md",
"meta": {}
},
{
"url": "/docs/contributing",
"title": "Contributing",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--readme--6de1bc799d",
"sectionRelativeRepoPath": "03-Contributing/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/fleet-ui",
"title": "Fleet UI",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--01-fleet-ui--4b5755ee58",
"sectionRelativeRepoPath": "01-Using-Fleet/01-Fleet-UI.md",
"meta": {}
},
{
"url": "/docs/using-fleet/fleetctl-cli",
"title": "Fleetctl CLI",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--02-fleetctl-cli--2a521b49d6",
"sectionRelativeRepoPath": "01-Using-Fleet/02-fleetctl-CLI.md",
"meta": {}
},
{
"url": "/docs/using-fleet/rest-api",
"title": "REST API",
"lastModifiedAt": 1632174198000,
"htmlId": "docs--03-rest-api--f0b4e26bae",
"sectionRelativeRepoPath": "01-Using-Fleet/03-REST-API.md",
"meta": {}
},
{
"url": "/docs/using-fleet/adding-hosts",
"title": "Adding hosts",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--04-adding-hosts--9ffccb2221",
"sectionRelativeRepoPath": "01-Using-Fleet/04-Adding-hosts.md",
"meta": {}
},
{
"url": "/docs/using-fleet/osquery-logs",
"title": "Osquery logs",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--05-osquery-logs--7fbf2c5c5a",
"sectionRelativeRepoPath": "01-Using-Fleet/05-Osquery-logs.md",
"meta": {}
},
{
"url": "/docs/using-fleet/monitoring-fleet",
"title": "Monitoring Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--06-monitoring-fleet--83f7cca9f9",
"sectionRelativeRepoPath": "01-Using-Fleet/06-Monitoring-Fleet.md",
"meta": {}
},
{
"url": "/docs/using-fleet/security-best-practices",
"title": "Security best practices",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--07-security-best-pra--7ba1af6048",
"sectionRelativeRepoPath": "01-Using-Fleet/07-Security-best-practices.md",
"meta": {}
},
{
"url": "/docs/using-fleet/updating-fleet",
"title": "Updating Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--08-updating-fleet--3b4e821ee3",
"sectionRelativeRepoPath": "01-Using-Fleet/08-Updating-Fleet.md",
"meta": {}
},
{
"url": "/docs/using-fleet/permissions",
"title": "Permissions",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--09-permissions--eb9ac05ff5",
"sectionRelativeRepoPath": "01-Using-Fleet/09-Permissions.md",
"meta": {}
},
{
"url": "/docs/using-fleet/teams",
"title": "Teams",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--10-teams--bd0bdf9444",
"sectionRelativeRepoPath": "01-Using-Fleet/10-Teams.md",
"meta": {}
},
{
"url": "/docs/using-fleet/usage-statistics",
"title": "Usage statistics",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--11-usage-statistics--ccd73f532c",
"sectionRelativeRepoPath": "01-Using-Fleet/11-Usage-statistics.md",
"meta": {}
},
{
"url": "/docs/using-fleet/supported-browsers",
"title": "Supported browsers",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--12-supported-browser--c3a9c18d40",
"sectionRelativeRepoPath": "01-Using-Fleet/12-Supported-browsers.md",
"meta": {}
},
{
"url": "/docs/using-fleet/vulnerability-processing",
"title": "Vulnerability processing",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--13-vulnerability-pro--7a9b62b621",
"sectionRelativeRepoPath": "01-Using-Fleet/13-Vulnerability-Processing.md",
"meta": {}
},
{
"url": "/docs/using-fleet/faq",
"title": "FAQ",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--faq--75e099695e",
"sectionRelativeRepoPath": "01-Using-Fleet/FAQ.md",
"meta": {}
},
{
"url": "/docs/using-fleet",
"title": "Using Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--readme--0b226f5257",
"sectionRelativeRepoPath": "01-Using-Fleet/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/learn-how-to-use-fleet",
"title": "Learn how to use Fleet",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--00-learn-how-to-use---95b515dfd1",
"sectionRelativeRepoPath": "01-Using-Fleet/00-Learn-how-to-use-Fleet.md",
"meta": {}
},
{
"url": "/docs/using-fleet/configuration-files",
"title": "Configuration files",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--readme--dc5df431cb",
"sectionRelativeRepoPath": "01-Using-Fleet/configuration-files/README.md",
"meta": {}
},
{
"url": "/docs/using-fleet/standard-query-library",
"title": "Standard query library",
"lastModifiedAt": 1632163704000,
"htmlId": "docs--readme--db16aa6f37",
"sectionRelativeRepoPath": "01-Using-Fleet/standard-query-library/README.md",
"meta": {}
}
],
"queries": [
{
"name": "Count Apple applications installed",
"platforms": "macOS",
"description": "Count the number of Apple applications installed on the machine.",
"query": "SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%';",
"purpose": "Informational",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
},
{
"name": null,
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
},
{
"name": "Mike McNeil",
"handle": "mikermcneil",
"avatarUrl": "https://avatars.githubusercontent.com/u/618009?v=4",
"htmlUrl": "https://github.com/mikermcneil"
}
],
"slug": "count-apple-applications-installed",
"remediation": "N/A"
},
{
"name": "Get OpenSSL versions",
"platforms": "Linux",
"description": "Retrieves the OpenSSL version.",
"query": "SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-open-ssl-versions",
"remediation": "N/A"
},
{
"name": "Get whether Gatekeeper is disabled",
"platforms": "macOS",
"description": "Gatekeeper tries to ensure only trusted software is run on a mac machine.",
"query": "SELECT * FROM gatekeeper WHERE assessments_enabled = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-whether-gatekeeper-is-disabled",
"remediation": "N/A"
},
{
"name": "Get authorized SSH keys",
"platforms": "macOS, Linux",
"description": "Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.",
"query": "SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Informational",
"remediation": "N/A",
"contributors": [
{
"name": "Mike Thomas",
"handle": "mike-j-thomas",
"avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
"htmlUrl": "https://github.com/mike-j-thomas"
}
],
"slug": "get-authorized-ssh-keys"
},
{
"name": "Get authorized keys for Local Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-authorized-keys-for-local-accounts",
"remediation": "N/A"
},
{
"name": "Get authorized keys for Domain Joined Accounts",
"platforms": "macOS, Linux",
"description": "List authorized_keys for each user on the system.",
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-authorized-keys-for-domain-joined-accounts",
"remediation": "N/A"
},
{
"name": "Get crashes",
"platforms": "macOS",
"description": "Retrieve application, system, and mobile app crash logs.",
"query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-crashes",
"remediation": "N/A"
},
{
"name": "Get installed Chrome Extensions",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "List installed Chrome Extensions for all users.",
"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-chrome-extensions",
"remediation": "N/A"
},
{
"name": "Get installed FreeBSD software",
"platforms": "FreeBSD",
"description": "Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-free-bsd-software",
"remediation": "N/A"
},
{
"name": "Get Homebrew Packages",
"platforms": "macOS",
"description": "Get the installed homebrew package database.",
"query": "SELECT * FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-homebrew-packages",
"remediation": "N/A"
},
{
"name": "Get installed Linux software",
"platforms": "Linux",
"description": "Get all software installed on a Linux computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-linux-software",
"remediation": "N/A"
},
{
"name": "Get installed macOS software",
"platforms": "macOS",
"description": "Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-mac-os-software",
"remediation": "N/A"
},
{
"name": "Get installed Safari extensions",
"platforms": "macOS",
"description": "Retrieves the list of installed Safari Extensions for all users in the target system.",
"query": "SELECT safari_extensions.* FROM users join safari_extensions USING (uid);",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-safari-extensions",
"remediation": "N/A"
},
{
"name": "Get installed Windows software",
"platforms": "Windows",
"description": "Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
"query": "SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-installed-windows-software",
"remediation": "N/A"
},
{
"name": "Get laptops with failing batteries",
"platforms": "macOS",
"description": null,
"query": "SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-laptops-with-failing-batteries",
"remediation": "N/A"
},
{
"name": "Get macOS disk free space percentage",
"platforms": "macOS",
"description": "Displays the percentage of free space available on the primary disk partition.",
"query": "SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/';",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-mac-os-disk-free-space-percentage",
"remediation": "N/A"
},
{
"name": "Get mounts",
"platforms": "macOS, Linux",
"description": "Shows system mounted devices and filesystems (not process specific).",
"query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-mounts",
"remediation": "N/A"
},
{
"name": "Get the version of the resident operating system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows system mounted devices and filesystems (not process specific).",
"query": "SELECT * FROM os_version;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-the-version-of-the-resident-operating-system",
"remediation": "N/A"
},
{
"name": "Get platform info",
"platforms": "macOS",
"description": "Shows information about the host platform",
"query": "SELECT vendor, version, date, revision from platform_info;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-platform-info",
"remediation": "N/A"
},
{
"name": "Get startup items",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows applications and binaries set as user/login startup items.",
"query": "SELECT * FROM startup_items;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-startup-items",
"remediation": "N/A"
},
{
"name": "Get system logins and logouts",
"platforms": "macOS",
"description": "Get a list of system logins and logouts.",
"query": "SELECT * FROM last;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-system-logins-and-logouts",
"remediation": "N/A"
},
{
"name": "Get current users with active shell/console on the system",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Get current users with active shell/console on the system and associated process",
"query": "SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-current-users-with-active-shell-console-on-the-system",
"remediation": "N/A"
},
{
"name": "Get system uptime",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Shows the system uptime.",
"query": "SELECT * FROM uptime;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-system-uptime",
"remediation": "N/A"
},
{
"name": "Get USB devices",
"platforms": "macOS, Linux",
"description": "Shows all USB devices that are actively plugged into the host system.",
"query": "SELECT * FROM usb_devices;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-usb-devices",
"remediation": "N/A"
},
{
"name": "Get wifi status",
"platforms": "macOS",
"description": "Shows information about the wifi network that a host is currently connected to.",
"query": "SELECT * FROM wifi_status;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-wifi-status",
"remediation": "N/A"
},
{
"name": "Get Windows machines with unencrypted hard disks",
"platforms": "Windows",
"description": null,
"query": "SELECT * FROM bitlocker_info WHERE protection_status = 0;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-windows-machines-with-unencrypted-hard-disks",
"remediation": "N/A"
},
{
"name": "Get disk encryption status",
"platforms": "macOS, Linux",
"description": "Disk encryption status and information.",
"query": "SELECT * FROM disk_encryption;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-disk-encryption-status",
"remediation": "N/A"
},
{
"name": "Get unencrypted SSH keys for local accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;",
"purpose": "Informational",
"remediation": "N/A",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-unencrypted-ssh-keys-for-local-accounts"
},
{
"name": "Get unencrypted SSH keys for domain joined accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
"query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);",
"purpose": "Informational",
"remediation": "N/A",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-unencrypted-ssh-keys-for-domain-joined-accounts"
},
{
"name": "Get crontab jobs",
"platforms": "macOS, Linux",
"description": "Line parsed values from system and user cron/tab.",
"query": "SELECT * FROM crontab;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-crontab-jobs",
"remediation": "N/A"
},
{
"name": "Get suid binaries",
"platforms": "macOS, Linux",
"description": "suid binaries in common locations.",
"query": "SELECT * FROM suid_bin;",
"purpose": "Informational",
"contributors": [
{
"name": "Zach Wasserman",
"handle": "zwass",
"avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
"htmlUrl": "https://github.com/zwass"
}
],
"slug": "get-suid-binaries",
"remediation": "N/A"
},
{
"name": "Get dynamic linker hijacking on Linux (MITRE. T1574.006)",
"platforms": "Linux",
"description": "Detect any processes that run with LD_PRELOAD environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';",
"purpose": "Informational",
"remediation": "N/A",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-dynamic-linker-hijacking-on-linux-mitre-t-1574-006"
},
{
"name": "Get dynamic linker hijacking on macOS (MITRE. T1574.006)",
"platforms": "macOS",
"description": "Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable",
"query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';",
"purpose": "Informational",
"remediation": "N/A",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-dynamic-linker-hijacking-on-mac-os-mitre-t-1574-006"
},
{
"name": "Get etc hosts entries",
"platforms": "macOS, Linux",
"description": "Line-parsed /etc/hosts",
"query": "SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-etc-hosts-entries",
"remediation": "N/A"
},
{
"name": "Get network interfaces",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Network interfaces MAC address",
"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-network-interfaces",
"remediation": "N/A"
},
{
"name": "Get local user accounts",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Local user accounts (including domain accounts that have logged on locally (Windows)).",
"query": "SELECT uid, gid, username, description,directory, shell FROM users;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-local-user-accounts",
"remediation": "N/A"
},
{
"name": "Get active user accounts on servers",
"platforms": "Linux",
"description": "Domain Joined environment normally have root or other service account only and users are SSH-ing using their Domain Accounts.",
"query": "SELECT * FROM shadow WHERE password_status='active' and username!='root';",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-active-user-accounts-on-servers",
"remediation": "N/A"
},
{
"name": "Get Nmap scanner",
"platforms": "macOS, Linux, Windows, FreeBSD",
"description": "Get Nmap scanner process, as well as its user, parent, and process details.",
"query": "SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-nmap-scanner",
"remediation": "N/A"
},
{
"name": "Get docker images on a system",
"platforms": "macOS, Linux",
"description": "Docker images information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_images;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-images-on-a-system",
"remediation": "N/A"
},
{
"name": "Get docker running containers on a system",
"platforms": "macOS, Linux",
"description": "Docker containers information, can be used on normal system or a kubenode.",
"query": "SELECT * FROM docker_containers;",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-running-containers-on-a-system",
"remediation": "N/A"
},
{
"name": "Get docker running process on a system",
"platforms": "macOS, Linux",
"description": "Docker containers Processes, can be used on normal system or a kubenode.",
"query": "SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);",
"purpose": "Informational",
"contributors": [
{
"name": "Ahmed Elshaer",
"handle": "anelshaer",
"avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
"htmlUrl": "https://github.com/anelshaer"
}
],
"slug": "get-docker-running-process-on-a-system",
"remediation": "N/A"
},
{
"name": "Get Windows print spooler remote code execution vulnerability",
"platforms": "Windows",
"description": "Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.",
"query": "SELECT CASE cnt WHEN 2 THEN \"TRUE\" ELSE \"FALSE\" END \"Vulnerable\" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;",
"purpose": "Informational",
"contributors": [
{
"name": null,
"handle": "maravedi",
"avatarUrl": "https://avatars.githubusercontent.com/u/9169890?v=4",
"htmlUrl": "https://github.com/maravedi"
}
],
"slug": "get-windows-print-spooler-remote-code-execution-vulnerability",
"remediation": "N/A"
},
{
"name": "Get local users and their privileges",
"platforms": "macOS, Linux, Windows",
"description": "Collects the local user accounts and their respective user group.",
"query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
"purpose": "Informational",
"contributors": [
{
"name": null,
"handle": "noahtalerman",
"avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
"htmlUrl": "https://github.com/noahtalerman"
}
],
"slug": "get-local-users-and-their-privileges",
"remediation": "N/A"
},
{
"name": "Get processes that no longer exist on disk",
"platforms": "Linux, macOS, Windows",
"description": "Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.",
"query": "SELECT name, path, pid FROM processes WHERE on_disk = 0;",
"purpose": "Incident response",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-processes-that-no-longer-exist-on-disk",
"remediation": "N/A"
},
{
"name": "Get user files matching a specific hash",
"platforms": "macOS, Linux",
"description": "Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)",
"query": "SELECT path,sha256 FROM hash WHERE path in (SELECT path FROM file WHERE size < 50000000 AND path LIKE \"\"/Users/%/Documents/%%\"\") AND sha256 = \"\"16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75\"\";",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-user-files-matching-a-specific-hash",
"remediation": "N/A"
},
{
"name": "Get local administrator accounts on macOS",
"platforms": "macOS",
"description": "The query allows you to check macOS systems for local administrator accounts.",
"query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-local-administrator-accounts-on-mac-os",
"remediation": "N/A"
},
{
"name": "Get all listening ports, by process",
"platforms": "Linux, macOS, Windows",
"description": "List ports that are listening on all interfaces, along with the process to which they are attached.",
"query": "SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = \"0.0.0.0\";",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-all-listening-ports-by-process",
"remediation": "N/A"
},
{
"name": "Get whether TeamViewer is installed/running",
"platforms": "Windows",
"description": "Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.",
"query": "SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE \"%teamviewer%\";",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-whether-team-viewer-is-installed-running",
"remediation": "N/A"
},
{
"name": "Get malicious Python backdoors",
"platforms": "macOS, Linux, Windows",
"description": "Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)",
"query": "select case cnt when 0 then \"NONE_INSTALLED\" else \"INSTALLED\" end as \"Malicious Python Packages\",package_name,package_version from (select count(name) as cnt,nameas package_name,version as package_version,path as package_pathfrom python_packages where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));",
"purpose": "Informational",
"contributors": [
{
"name": "AndrewB",
"handle": "alphabrevity",
"avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
"htmlUrl": "https://github.com/alphabrevity"
}
],
"slug": "get-malicious-python-backdoors",
"remediation": "N/A"
}
],
"queryLibraryYmlRepoPath": "docs/01-Using-Fleet/standard-query-library/standard-query-library.yml",
"compiledPagePartialsAppPath": "views/partials/built-from-markdown"
}
}
Reference in New Issue View Git Blame Copy Permalink