mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-06 17:45:22 +00:00
146 lines
7.3 KiB
Plaintext
146 lines
7.3 KiB
Plaintext
{
|
|
"queries": {
|
|
"kernel_info": {
|
|
"query" : "select * from kernel_info;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves information from the current kernel in the target system.",
|
|
"value" : "Kernel version can tell you vulnerabilities based on the version"
|
|
},
|
|
"os_version": {
|
|
"query" : "select * from os_version;",
|
|
"interval" : "86400",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
|
|
"value" : "OS version will tell which distribution the OS is running on, allowing to detect the main distribution"
|
|
},
|
|
"kextstat": {
|
|
"query" : "select * from kernel_extensions;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the information about the current kernel extensions for the target OSX system.",
|
|
"value" : "Only for OS X. It may pinpoint inserted modules that can carry malicious payloads."
|
|
},
|
|
"kernel_modules": {
|
|
"query" : "select * from kernel_modules;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
|
|
"value" : "Only for Linux. It may pinpoint inserted modules that can carry malicious payloads."
|
|
},
|
|
"installed_applications": {
|
|
"query" : "select * from apps;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the currently installed applications in the target OSX system.",
|
|
"value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
|
|
},
|
|
"browser_plugins": {
|
|
"query" : "select browser_plugins.* from users join browser_plugins using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.6.1",
|
|
"description" : "Retrieves the list of C/NPAPI browser plugins in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"safari_extensions": {
|
|
"query" : "select safari_extensions.* from users join safari_extensions using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.6.1",
|
|
"description" : "Retrieves the list of extensions for Safari in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"opera_extensions": {
|
|
"query" : "select opera_extensions.* from users join opera_extensions using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "posix",
|
|
"version" : "1.6.1",
|
|
"description" : "Retrieves the list of extensions for Opera in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"chrome_extensions": {
|
|
"query" : "select chrome_extensions.* from users join chrome_extensions using (uid);",
|
|
"interval" : "86400",
|
|
"version" : "1.6.1",
|
|
"description" : "Retrieves the list of extensions for Chrome in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"firefox_addons": {
|
|
"query" : "select firefox_addons.* from users join firefox_addons using (uid);",
|
|
"interval" : "86400",
|
|
"platform" : "posix",
|
|
"version" : "1.6.1",
|
|
"description" : "Retrieves the list of addons for Firefox in the target system.",
|
|
"value" : "General security posture."
|
|
},
|
|
"homebrew_packages": {
|
|
"query" : "select * from homebrew_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves the list of brew packages installed in the target OSX system.",
|
|
"value" : "This, with the help of a vulnerability feed, can help tell if a vulnerable application is installed."
|
|
},
|
|
"package_receipts": {
|
|
"query" : "select * from package_receipts;",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the PKG related information stored in OSX.",
|
|
"value" : "It could give you a trail of installed/deleted packages"
|
|
},
|
|
"deb_packages": {
|
|
"query" : "select * from deb_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the installed DEB packages in the target Linux system.",
|
|
"value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
|
|
},
|
|
"apt_sources": {
|
|
"query" : "select * from apt_sources;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the APT sources to install packages from in the target Linux system.",
|
|
"value" : "In the future this may not have a lot of value as we expect to have installed only signed packages"
|
|
},
|
|
"portage_packages": {
|
|
"query" : "select * from portage_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "2.0.0",
|
|
"description" : "Retrieves all the installed packages on the target Linux system.",
|
|
"value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
|
|
},
|
|
"rpm_packages": {
|
|
"query" : "select * from rpm_packages;",
|
|
"interval" : "86400",
|
|
"platform" : "linux",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all the installed RPM packages in the target Linux system.",
|
|
"value" : "This, with the help of vulnerability feed, can help tell if a vulnerable application is installed."
|
|
},
|
|
"unauthenticated_sparkle_feeds": {
|
|
"query" : "select feeds.*, p2.value as sparkle_version from (select a.name as app_name, a.path as app_path, a.bundle_identifier as bundle_id, p.value as feed_url from (select name, path, bundle_identifier from apps) a, plist p where p.path = a.path || '/Contents/Info.plist' and p.key = 'SUFeedURL' and feed_url like 'http://%') feeds left outer join plist p2 on p2.path = app_path || '/Contents/Frameworks/Sparkle.framework/Resources/Info.plist' where (p2.key = 'CFBundleShortVersionString' OR coalesce(p2.key, '') = '');",
|
|
"interval" : "86400",
|
|
"platform" : "darwin",
|
|
"version" : "1.4.5",
|
|
"description" : "Retrieves all application bundles using unauthenticated Sparkle update feeds. See (https://vulnsec.com/2016/osx-apps-vulnerabilities/) for details.",
|
|
"value" : "Tracking vulnerable applications updates may allow blocking of DNS or removal by BundleID."
|
|
},
|
|
"backdoored_python_packages": {
|
|
"query" : "select name as package_name, version as package_version, path as package_path from python_packages where package_name = 'acqusition' or package_name = 'apidev-coop' or package_name = 'bzip' or package_name = 'crypt' or package_name = 'django-server' or package_name = 'pwd' or package_name = 'setup-tools' or package_name = 'telnet' or package_name = 'urlib3' or package_name = 'urllib';",
|
|
"interval" : "86400",
|
|
"platform" : "posix",
|
|
"version" : "1.4.5",
|
|
"description" : "Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)",
|
|
"value" : "Gives some assurances that no bad Python packages are installed on the system."
|
|
}
|
|
}
|
|
}
|