osquery-1/specs/suid_bin.table

table_name("suid_bin")
description("suid binaries in common locations.")
schema([
    Column("path", TEXT, "Binary path"),
    Column("username", TEXT, "Binary owner username"),
    Column("groupname", TEXT, "Binary owner group"),
    Column("permissions", TEXT, "Binary permissions"),
])
implementation("suid_bin@genSuidBin")
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| path \| unix_user \| unix_group \| permissions \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| "/bin/ps" \| root \| wheel \| S \| \| "/bin/rcp" \| root \| wheel \| S \| \| "/Users/vmauge/suid_test" \| vmauge \| 999 \| SG \| \| "/usr/bin/at" \| root \| wheel \| S \| \| "/usr/bin/atq" \| root \| wheel \| S \| \| "/usr/bin/atrm" \| root \| wheel \| S \| \| "/usr/bin/batch" \| root \| wheel \| S \| \| "/usr/bin/crontab" \| root \| wheel \| S \| \| "/usr/bin/ipcs" \| root \| wheel \| S \| \| "/usr/bin/lockfile" \| root \| mail \| G \| \| "/usr/bin/login" \| root \| wheel \| S \| \| "/usr/bin/newgrp" \| root \| wheel \| S \| \| "/usr/bin/procmail" \| root \| mail \| G \| \| "/usr/bin/quota" \| root \| wheel \| S \| \| "/usr/bin/rlogin" \| root \| wheel \| S \| \| "/usr/bin/rsh" \| root \| wheel \| S \| \| "/usr/bin/su" \| root \| wheel \| S \| \| "/usr/bin/sudo" \| root \| wheel \| S \| \| "/usr/bin/top" \| root \| wheel \| S \| \| "/usr/bin/wall" \| root \| tty \| G \| \| "/usr/bin/write" \| root \| tty \| G \| \| "/usr/sbin/postdrop" \| root \| _postdrop \| G \| \| "/usr/sbin/postqueue" \| root \| _postdrop \| G \| \| "/usr/sbin/rpc.net" \| root \| wheel \| S \| \| "/usr/sbin/rpcset" \| root \| wheel \| S \| \| "/usr/sbin/traceroute" \| root \| wheel \| S \| \| "/usr/sbin/traceroute6" \| root \| wheel \| S \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253. 2014-10-29 05:08:10 +00:00			`table_name("suid_bin")`
Addind all the missing descriptions for tables 2015-02-07 03:05:50 +00:00			`description("suid binaries in common locations.")`
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| path \| unix_user \| unix_group \| permissions \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| "/bin/ps" \| root \| wheel \| S \| \| "/bin/rcp" \| root \| wheel \| S \| \| "/Users/vmauge/suid_test" \| vmauge \| 999 \| SG \| \| "/usr/bin/at" \| root \| wheel \| S \| \| "/usr/bin/atq" \| root \| wheel \| S \| \| "/usr/bin/atrm" \| root \| wheel \| S \| \| "/usr/bin/batch" \| root \| wheel \| S \| \| "/usr/bin/crontab" \| root \| wheel \| S \| \| "/usr/bin/ipcs" \| root \| wheel \| S \| \| "/usr/bin/lockfile" \| root \| mail \| G \| \| "/usr/bin/login" \| root \| wheel \| S \| \| "/usr/bin/newgrp" \| root \| wheel \| S \| \| "/usr/bin/procmail" \| root \| mail \| G \| \| "/usr/bin/quota" \| root \| wheel \| S \| \| "/usr/bin/rlogin" \| root \| wheel \| S \| \| "/usr/bin/rsh" \| root \| wheel \| S \| \| "/usr/bin/su" \| root \| wheel \| S \| \| "/usr/bin/sudo" \| root \| wheel \| S \| \| "/usr/bin/top" \| root \| wheel \| S \| \| "/usr/bin/wall" \| root \| tty \| G \| \| "/usr/bin/write" \| root \| tty \| G \| \| "/usr/sbin/postdrop" \| root \| _postdrop \| G \| \| "/usr/sbin/postqueue" \| root \| _postdrop \| G \| \| "/usr/sbin/rpc.net" \| root \| wheel \| S \| \| "/usr/sbin/rpcset" \| root \| wheel \| S \| \| "/usr/sbin/traceroute" \| root \| wheel \| S \| \| "/usr/sbin/traceroute6" \| root \| wheel \| S \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253. 2014-10-29 05:08:10 +00:00			`schema([`
Adding description to all the missing table fields 2015-07-16 06:23:42 +00:00			`Column("path", TEXT, "Binary path"),`
			`Column("username", TEXT, "Binary owner username"),`
			`Column("groupname", TEXT, "Binary owner group"),`
			`Column("permissions", TEXT, "Binary permissions"),`
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| path \| unix_user \| unix_group \| permissions \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| "/bin/ps" \| root \| wheel \| S \| \| "/bin/rcp" \| root \| wheel \| S \| \| "/Users/vmauge/suid_test" \| vmauge \| 999 \| SG \| \| "/usr/bin/at" \| root \| wheel \| S \| \| "/usr/bin/atq" \| root \| wheel \| S \| \| "/usr/bin/atrm" \| root \| wheel \| S \| \| "/usr/bin/batch" \| root \| wheel \| S \| \| "/usr/bin/crontab" \| root \| wheel \| S \| \| "/usr/bin/ipcs" \| root \| wheel \| S \| \| "/usr/bin/lockfile" \| root \| mail \| G \| \| "/usr/bin/login" \| root \| wheel \| S \| \| "/usr/bin/newgrp" \| root \| wheel \| S \| \| "/usr/bin/procmail" \| root \| mail \| G \| \| "/usr/bin/quota" \| root \| wheel \| S \| \| "/usr/bin/rlogin" \| root \| wheel \| S \| \| "/usr/bin/rsh" \| root \| wheel \| S \| \| "/usr/bin/su" \| root \| wheel \| S \| \| "/usr/bin/sudo" \| root \| wheel \| S \| \| "/usr/bin/top" \| root \| wheel \| S \| \| "/usr/bin/wall" \| root \| tty \| G \| \| "/usr/bin/write" \| root \| tty \| G \| \| "/usr/sbin/postdrop" \| root \| _postdrop \| G \| \| "/usr/sbin/postqueue" \| root \| _postdrop \| G \| \| "/usr/sbin/rpc.net" \| root \| wheel \| S \| \| "/usr/sbin/rpcset" \| root \| wheel \| S \| \| "/usr/sbin/traceroute" \| root \| wheel \| S \| \| "/usr/sbin/traceroute6" \| root \| wheel \| S \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253. 2014-10-29 05:08:10 +00:00			`])`
			`implementation("suid_bin@genSuidBin")`