osquery-1/packs/vuln-management.conf

{
  "queries": {
    "kernel_info": {
      "query" : "select * from kernel_info;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves information from the current kernel in the target system.",
      "value" : "Kernel version can tell you vulnerabilities based on the version"
    },
    "os_version": {
      "query" : "select * from os_version;",
      "interval" : "86400",
      "version" : "1.4.5",
      "description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
      "value" : "OS version will tell which distribution the OS is running on, allowing to detect the main distribution"
    },
    "kextstat": {
      "query" : "select * from kernel_extensions;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
      "value" : "Only for OS X.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "86400",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
      "value" : "Only for Linux.  It may pinpoint inserted modules that can carry malicious payloads."
    },
    "installed_applications": {
      "query" : "select * from apps;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the currently installed applications in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "browser_plugins": {
      "query" : "select browser_plugins.* from users join browser_plugins using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
      "value" : "General security posture."
    },
    "safari_extensions": {
      "query" : "select safari_extensions.* from users join safari_extensions using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of extensions for Safari in the target system.",
      "value" : "General security posture."
    },
    "chrome_extensions": {
      "query" : "select chrome_extensions.* from users join chrome_extensions using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of extensions for Chrome in the target system.",
      "value" : "General security posture."
    },
    "firefox_addons": {
      "query" : "select firefox_addons.* from users join firefox_addons using (uid);",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of addons for Firefox in the target system.",
      "value" : "General security posture."
    },
    "homebrew_packages": {
      "query" : "select * from homebrew_packages;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves the list of brew packages installed in the target OSX system.",
      "value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "package_receipts": {
      "query" : "select * from package_receipts;",
      "interval" : "86400",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the PKG related information stored in OSX.",
      "value" : "It could give you a trail of installed/deleted packages"
    },
    "deb_packages": {
      "query" : "select * from deb_packages;",
      "interval" : "86400",
      "platform" : "ubuntu",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed DEB packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    },
    "apt_sources": {
      "query" : "select * from apt_sources;",
      "interval" : "86400",
      "platform" : "ubuntu",
      "version" : "1.4.5",
      "description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
      "value" : "In the future this may not have a lot of value as we expect to have installed only signed packages"
    },
    "rpm_packages": {
      "query" : "select * from rpm_packages;",
      "interval" : "86400",
      "platform" : "redhat,centos",
      "version" : "1.4.5",
      "description" : "Retrieves all the installed RPM packages in the target Linux system.",
      "value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
    }
  }
}