mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 01:55:20 +00:00
253 lines
9.9 KiB
Plaintext
253 lines
9.9 KiB
Plaintext
{
|
|
"queries": {
|
|
"osquery_info": {
|
|
"query" : "select * from time, osquery_info;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
|
|
"value" : "Identify if your infrastructure is running the correct osquery version and which hosts may have drifted"
|
|
},
|
|
"ad_config": {
|
|
"query" : "select * from ad_config;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the Active Directory configuration for the target machine, attached to the domain (requires sudo).",
|
|
"value" : "Helps you debug domain binding / Active Directory issues in your environment."
|
|
},
|
|
"kernel_info": {
|
|
"query" : "select * from kernel_info;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves information from the current kernel in the target system.",
|
|
"value" : "Identify out of date kernels or version drift across your infrastructure"
|
|
},
|
|
"os_version": {
|
|
"query" : "select * from os_version;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves information from the Operative System where osquery is currently running.",
|
|
"value" : "Identify out of date operating systems or version drift across your infrastructure"
|
|
},
|
|
"alf": {
|
|
"query" : "select * from alf;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
|
|
"value" : "Verify firewall settings are as expected"
|
|
},
|
|
"alf_exceptions": {
|
|
"query" : "select * from alf_exceptions;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the exceptions for the Application Layer Firewall in OSX.",
|
|
"value" : "Verify firewall settings are as expected"
|
|
},
|
|
"alf_services": {
|
|
"query" : "select * from alf_services;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the services for the Application Layer Firewall in OSX.",
|
|
"value" : "Verify firewall settings are as expected"
|
|
},
|
|
"alf_explicit_auths": {
|
|
"query" : "select * from alf_explicit_auths;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of processes with explicit authorization for the Application Layer Firewall.",
|
|
"value" : "Verify firewall settings are as expected"
|
|
},
|
|
"mounts": {
|
|
"query" : "select * from mounts;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current list of mounted drives in the target system.",
|
|
"value" : "Verify if mounts are accessible to those who need it"
|
|
},
|
|
"nfs_shares": {
|
|
"query" : "select * from nfs_shares;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current list of Network File System mounted shares.",
|
|
"value" : "Verify if shares are accessible to those who need it"
|
|
},
|
|
"windows_shared_resources": {
|
|
"query" : "select * from shared_resources;",
|
|
"interval" : "86400",
|
|
"platform" : "windows",
|
|
"version" : "2.0.0",
|
|
"description" : "Retrieves the list of shared resources in the target Windows system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"browser_plugins": {
|
|
"query" : "select * from users join browser_plugins using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"safari_extensions": {
|
|
"query" : "select * from users join safari_extensions using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of extensions for Safari in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"chrome_extensions": {
|
|
"query" : "select * from users join chrome_extensions using (uid);",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of extensions for Chrome in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"firefox_addons": {
|
|
"query" : "select * from users join firefox_addons using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of addons for Firefox in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"homebrew_packages": {
|
|
"query" : "select * from homebrew_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of brew packages installed in the target OSX system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"windows_programs": {
|
|
"query" : "select * from programs;",
|
|
"interval" : "86400",
|
|
"platform" : "windows",
|
|
"version" : "2.0.0",
|
|
"description" : "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"windows_patches": {
|
|
"query" : "select * from patches;",
|
|
"interval" : "86400",
|
|
"platform" : "windows",
|
|
"version" : "2.2.0",
|
|
"description" : "Retrieves all the information for the current windows drivers in the target Windows system."
|
|
},
|
|
"package_receipts": {
|
|
"query" : "select * from package_receipts;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the PKG related information stored in OSX.",
|
|
"value" : "General security posture."
|
|
},
|
|
"usb_devices": {
|
|
"query" : "select * from usb_devices;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current list of USB devices in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"keychain_items": {
|
|
"query" : "select * from keychain_items;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the items contained in the keychain in the target OSX system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"deb_packages": {
|
|
"query" : "select * from deb_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "ubuntu",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the installed DEB packages in the target Linux system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"apt_sources": {
|
|
"query" : "select * from apt_sources;",
|
|
"interval" : "86400",
|
|
"platform" : "ubuntu",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"portage_packages": {
|
|
"query" : "select * from portage_use;",
|
|
"interval" : "86400",
|
|
"platform" : "gentoo",
|
|
"version" : "2.0.0",
|
|
"description" : "Retrieves all the packages installed with portage from the target Linux system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"kernel_modules": {
|
|
"query" : "select * from kernel_modules;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current list of loaded kernel modules in the target Linux system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"windows_drivers": {
|
|
"query" : "select * from drivers;",
|
|
"interval" : "86400",
|
|
"platform" : "windows",
|
|
"version" : "2.2.0",
|
|
"description" : "Retrieves all the information for the current windows drivers in the target Windows system."
|
|
},
|
|
"rpm_packages": {
|
|
"query" : "select * from rpm_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the installed RPM packages in the target Linux system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"installed_applications": {
|
|
"query" : "select * from apps;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the currently installed applications in the target OSX system.",
|
|
"value" : "Find currently installed applications and versions of each."
|
|
},
|
|
"disk_encryption": {
|
|
"query" : "select * from disk_encryption;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"platform" : "posix",
|
|
"description" : "Retrieves the current disk encryption status for the target system.",
|
|
"value" : "Identifies a system potentially vulnerable to disk cloning."
|
|
},
|
|
"launchd": {
|
|
"query" : "select * from launchd;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the daemons that will run in the start of the target OSX system.",
|
|
"value" : "Visibility on what starts in the system."
|
|
},
|
|
"iptables": {
|
|
"query" : "select * from iptables;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current filters and chains per filter in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"sip_config": {
|
|
"query" : "select * from sip_config;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.7.0",
|
|
"description" : "Retrieves the current System Integrity Protection configuration in the target system.",
|
|
"value" : "General security posture."
|
|
}
|
|
}
|
|
}
|