mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 18:08:53 +00:00
86 lines
1.6 KiB
Plaintext
86 lines
1.6 KiB
Plaintext
{
|
|
"options": {
|
|
"enable_monitor": "true"
|
|
},
|
|
"list": [
|
|
"a"
|
|
],
|
|
"dictionary": {
|
|
"foo": "bar"
|
|
},
|
|
|
|
"packs": {
|
|
"foobar": {
|
|
"version": "1.5.0",
|
|
"queries": {
|
|
"kernel_modules": {
|
|
"query": "select * from kernel_modules;",
|
|
"interval": 3600
|
|
}
|
|
}
|
|
},
|
|
"foobar_with_files": {
|
|
"file_paths": {
|
|
"logs": [
|
|
"/dev/random"
|
|
]
|
|
},
|
|
"file_accesses": [
|
|
"logs",
|
|
"bar"
|
|
]
|
|
}
|
|
},
|
|
|
|
"schedule": {
|
|
"launchd": {
|
|
"query": "select * from launchd;",
|
|
"interval": 3600
|
|
}
|
|
},
|
|
|
|
"file_paths": {
|
|
"logs": [
|
|
"/dev/null"
|
|
],
|
|
"config_files": [
|
|
"/dev",
|
|
"/dev/zero"
|
|
]
|
|
},
|
|
"file_accesses": [
|
|
"logs"
|
|
],
|
|
"events": {
|
|
"environment_variables": [
|
|
"foo",
|
|
"bar"
|
|
]
|
|
},
|
|
|
|
"decorators": {
|
|
"load": [
|
|
"select version from osquery_info",
|
|
"select uuid as hostuuid from system_info",
|
|
"select 'test' as load_test"
|
|
],
|
|
"always": [
|
|
"select user as username from logged_in_users where user <> '' order by time limit 1;",
|
|
"select 'test' as always_test"
|
|
],
|
|
"interval": {
|
|
"60": [
|
|
"select 1 as one from time",
|
|
"select 'test' as internal_60_test"
|
|
],
|
|
"61": [
|
|
"select 'invalid' as invalid_interval_test"
|
|
]
|
|
}
|
|
},
|
|
|
|
"views" : {
|
|
"kernel_hashes" : "select hash.path as kernel_binary, version, hash.sha256 as sha256, hash.sha1 as sha1, hash.md5 as md5 from (select path || '/Contents/MacOS/' as directory, name, version from kernel_extensions) join hash using (directory)"
|
|
}
|
|
}
|