mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 18:33:54 +00:00
125 lines
4.9 KiB
Plaintext
125 lines
4.9 KiB
Plaintext
{
|
|
"queries": {
|
|
"acpi_tables": {
|
|
"query": "select * from acpi_tables;",
|
|
"interval": 86400,
|
|
"platform": "posix",
|
|
"version": "1.3.0",
|
|
"description": "General reporting and heuristics monitoring."
|
|
},
|
|
"cpuid": {
|
|
"query": "select feature, value, output_register, output_bit, input_eax from cpuid;",
|
|
"interval": 86400,
|
|
"version": "1.0.4",
|
|
"description": "General reporting and heuristics monitoring."
|
|
},
|
|
"smbios_tables": {
|
|
"query": "select * from smbios_tables;",
|
|
"interval": 86400,
|
|
"platform": "posix",
|
|
"version": "1.3.0",
|
|
"description": "General reporting and heuristics monitoring."
|
|
},
|
|
"nvram": {
|
|
"query": "select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');",
|
|
"interval": 7200,
|
|
"platform": "darwin",
|
|
"version": "1.0.2",
|
|
"description": "Report on crashes, alternate boots, and boot arguments."
|
|
},
|
|
"kernel_info": {
|
|
"query": "select * from kernel_info join hash using (path);",
|
|
"interval": 7200,
|
|
"version": "1.4.0",
|
|
"description": "Report the booted kernel, potential arguments, and the device."
|
|
},
|
|
"pci_devices": {
|
|
"query": "select * from pci_devices;",
|
|
"interval": 7200,
|
|
"platform": "posix",
|
|
"version": "1.0.4",
|
|
"description": "Report an inventory of PCI devices. Attaches and detaches will show up in hardware_events."
|
|
},
|
|
"fan_speeds": {
|
|
"query": "select * from fan_speed_sensors;",
|
|
"interval": 7200,
|
|
"platform": "darwin",
|
|
"version": "1.7.1",
|
|
"description": "Report current fan speeds in the target OSX system."
|
|
},
|
|
"temperatures": {
|
|
"query": "select * from temperature_sensors;",
|
|
"interval": 7200,
|
|
"platform": "darwin",
|
|
"version": "1.7.1",
|
|
"description": "Report current machine temperatures in the target OSX system."
|
|
},
|
|
"usb_devices": {
|
|
"query": "select * from usb_devices;",
|
|
"interval": 7200,
|
|
"platform": "posix",
|
|
"version": "1.2.0",
|
|
"description": "Report an inventory of USB devices. Attaches and detaches will show up in hardware_events."
|
|
},
|
|
"hardware_events": {
|
|
"query" : "select * from hardware_events where path <> '' or model <> '';",
|
|
"interval" : 7200,
|
|
"platform": "posix",
|
|
"removed": false,
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the hardware related events in the target OSX system.",
|
|
"value" : "Determine if a third party device was attached to the system."
|
|
},
|
|
"darwin_kernel_system_controls": {
|
|
"query": "select * from system_controls where subsystem = 'kern' and (name like '%boot%' or name like '%secure%' or name like '%single%');",
|
|
"interval": 7200,
|
|
"platform": "darwin",
|
|
"version": "1.4.3",
|
|
"description": "Double check the information reported in kernel_info and report the kernel signature."
|
|
},
|
|
"iokit_devicetree": {
|
|
"query": "select * from iokit_devicetree;",
|
|
"interval": 86400,
|
|
"platform": "darwin",
|
|
"version": "1.3.0",
|
|
"description": "General inventory of IOKit's devices on OS X."
|
|
},
|
|
"efi_file_hashes": {
|
|
"query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, md5, sha1, sha256 from (select * from file where path like '/System/Library/CoreServices/%.efi' union select * from file where path like '/System/Library/LaunchDaemons/com.apple%efi%') file join hash using (path);",
|
|
"interval": 7200,
|
|
"removed": false,
|
|
"version": "1.6.1",
|
|
"platform": "darwin",
|
|
"description": "Hash files related to EFI platform updates and EFI bootloaders on primary boot partition. This does not hash bootloaders on the EFI/boot partition."
|
|
},
|
|
"kernel_extensions": {
|
|
"query" : "select * from kernel_extensions;",
|
|
"interval" : "7200",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the information about the current kernel extensions for the target OSX system."
|
|
},
|
|
"kernel_modules": {
|
|
"query" : "select * from kernel_modules;",
|
|
"interval" : "7200",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the information for the current kernel modules in the target Linux system."
|
|
},
|
|
"windows_drivers": {
|
|
"query" : "select * from drivers;",
|
|
"interval" : "7200",
|
|
"platform" : "windows",
|
|
"version" : "2.2.0",
|
|
"description" : "Retrieves all the information for the current windows drivers in the target Windows system."
|
|
},
|
|
"device_nodes": {
|
|
"query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, block_size, mode, type from file where directory = '/dev/';",
|
|
"interval": "7200",
|
|
"platform": "posix",
|
|
"version": "1.6.0",
|
|
"description": "Inventory all 'device' nodes in /dev/."
|
|
}
|
|
}
|
|
}
|