{
  "queries": {
    "kernel_info": {
      "query" : "select * from kernel_info;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves information from the current kernel in the target system.",
      "value" : "Kernel version can tell you vulnerabilities based on the version"
    },
    "os_version": {
      "query" : "select * from os_version;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
      "value" : "OS version will tell which distribution the OS is running on, allowing to detect the main distribution"
    },
    "kextstat": {
      "query" : "select * from kernel_extensions;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
      "value" : "Only for OS X.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
      "value" : "Only for Linux.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "browser_plugins": {
      "query" : "select browser_plugins.* from users join browser_plugins using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.6.1",
      "description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
      "value" : "General security posture."
    },
    "safari_extensions": {
      "query" : "select safari_extensions.* from users join safari_extensions using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Safari in the target system.",
      "value" : "General security posture."
    },
    "opera_extensions": {
      "query" : "select opera_extensions.* from users join opera_extensions using (uid);",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Opera in the target system.",
      "value" : "General security posture."
    },
    "chrome_extensions": {
      "query" : "select chrome_extensions.* from users join chrome_extensions using (uid);",
      "interval" : "86400",
      "version" : "1.6.1",
      "description" : "Retrieves the list of extensions for Chrome in the target system.",
      "value" : "General security posture."
    },
    "firefox_addons": {
      "query" : "select firefox_addons.* from users join firefox_addons using (uid);",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.6.1",
      "description" : "Retrieves the list of addons for Firefox in the target system.",
      "value" : "General security posture."
    },
    "homebrew_packages": {
      "query" : "select * from homebrew_packages;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of brew packages installed in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "package_receipts": {
      "query" : "select * from package_receipts;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the PKG related information stored in OSX.",
      "value" : "It could give you a trail of installed/deleted packages"
    },
    "deb_packages": {
      "query" : "select * from deb_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed DEB packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "apt_sources": {
      "query" : "select * from apt_sources;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
      "value" : "In the future this may not have a lot of value as we expect to have installed only signed packages"
    },
    "portage_packages": {
      "query" : "select * from portage_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "2.0.0",
      "description" : "Retrieves all the installed packages on the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "rpm_packages": {
      "query" : "select * from rpm_packages;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed RPM packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "unauthenticated_sparkle_feeds": {
      "query" : "select feeds.*, p2.value as sparkle_version from (select a.name as app_name, a.path as app_path, a.bundle_identifier as bundle_id, p.value as feed_url from (select name, path, bundle_identifier from apps) a, plist p where p.path = a.path || '/Contents/Info.plist' and p.key = 'SUFeedURL' and feed_url like 'http://%') feeds left outer join plist p2 on p2.path = app_path || '/Contents/Frameworks/Sparkle.framework/Resources/Info.plist' where (p2.key = 'CFBundleShortVersionString' OR coalesce(p2.key, '') = '');",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all application bundles using unauthenticated Sparkle update feeds. See (https://vulnsec.com/2016/osx-apps-vulnerabilities/) for details.",
      "value" : "Tracking vulnerable applications updates may allow blocking of DNS or removal by BundleID."
    },
    "backdoored_python_packages": {
      "query" : "select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';",
      "interval" : "86400",
      "platform" : "posix",
      "version" : "1.4.5",
      "description" : "Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)",
      "value" : "Gives some assurances that no bad Python packages are installed on the system."
    }
  }
}