mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 18:08:53 +00:00
72 lines
1.5 KiB
Plaintext
72 lines
1.5 KiB
Plaintext
{
|
|
"options": {
|
|
"enable_monitor": "true"
|
|
},
|
|
"packs": {
|
|
"unrestricted_pack": {
|
|
"version": "1.5.0",
|
|
"queries": {
|
|
"process_events": {
|
|
"query": "select distinct path, cmdline, uid, euid, environment from process_events;",
|
|
"interval": 3600,
|
|
"version": "1.5.1-26",
|
|
"removed": false
|
|
}
|
|
},
|
|
"file_paths": {
|
|
"unrestricted_pack": [
|
|
"/unrestricted",
|
|
"/unrestricted/also"
|
|
]
|
|
}
|
|
},
|
|
"discovery_pack": {
|
|
"platform": "all",
|
|
"version": "1.5.0",
|
|
"discovery": [
|
|
"select pid from processes where name = 'foobar';"
|
|
],
|
|
"queries": {
|
|
"kernel_modules": {
|
|
"query": "select * from kernel_modules;",
|
|
"interval": 3600
|
|
},
|
|
"totally_fake": {
|
|
"query": "select * from kernel_modules;",
|
|
"interval": 3600,
|
|
"platform": "lol"
|
|
}
|
|
}
|
|
},
|
|
"fake_version_pack": {
|
|
"version": "9.9.9",
|
|
"queries": {}
|
|
},
|
|
"valid_discovery_pack": {
|
|
"discovery": [
|
|
"select * from osquery_info;"
|
|
],
|
|
"queries": {
|
|
"kernel_modules": {
|
|
"query": "select * from kernel_modules;",
|
|
"interval": 3600
|
|
}
|
|
}
|
|
},
|
|
"restricted_pack": {
|
|
"version": "9.9.9",
|
|
"platform": "none",
|
|
"shard": "1",
|
|
"file_paths": {
|
|
"restricted_pack": ["/restricted"]
|
|
}
|
|
}
|
|
},
|
|
"schedule": {
|
|
"launchd": {
|
|
"query": "select * from launchd;",
|
|
"interval": 3600
|
|
}
|
|
}
|
|
}
|