-
Notifications
You must be signed in to change notification settings - Fork 121
/
osquery.conf
executable file
·315 lines (315 loc) · 14.1 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
{
"options": {
"logger_snapshot_event_type": "true",
"schedule_splay_percent": 10
},
"platform": "darwin",
"schedule": {
"authorized_keys": {
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
"interval": 28800,
"description": "List authorized_keys for each user on the system"
},
"boot_efi_hash": {
"query": "SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';",
"interval": 28800,
"description": "MD5 hash of boot.efi"
},
"browser_plugins": {
"query": "SELECT * FROM users CROSS JOIN browser_plugins USING (uid);",
"interval": 3600,
"description": "All C/NPAPI browser plugin details for all users."
},
"chrome_extensions": {
"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
"interval": 3600,
"description": "List installed Chrome Extensions for all users"
},
"chrome_extensions_snapshot": {
"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
"interval": 28800,
"description": "Snapshot query for Chrome extensions"
},
"crashes": {
"query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users JOIN crashes USING (uid);",
"interval": 3600,
"description": "Application, System, and Mobile App crash logs.",
"removed": false
},
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 3600,
"description": "Line parsed values from system and user cron/tab."
},
"disk_encryption_snapshot": {
"query": "SELECT * FROM disk_encryption;",
"interval": 28800,
"description": "Disk encryption status and information.",
"snapshot": true
},
"disk_free_space_pct": {
"query": "SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';",
"interval": 3600,
"description": "Displays the percentage of free space available on the primary disk partition",
"snapshot": true
},
"efigy": {
"query": "SELECT * FROM efigy;",
"interval": 28800,
"description": "Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)",
"snapshot": true
},
"emond": {
"query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
"interval": 3600,
"description": "Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)"
},
"emond_snapshot": {
"query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
"interval": 28800,
"description": "Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)",
"snapshot": true
},
"etc_hosts": {
"query": "SELECT * FROM etc_hosts;",
"interval": 28800,
"description": "List the contents of /etc/hosts"
},
"event_taps": {
"query": "SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;",
"interval": 300,
"description": "Returns information about installed event taps. Can be used to detect keyloggers"
},
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 300,
"removed": false,
"description": "Track time/action changes to files specified in configuration data."
},
"firefox_addons": {
"query": "SELECT * FROM users CROSS JOIN firefox_addons USING (uid);",
"interval": 3600,
"description": "List installed Firefox addons for all users"
},
"hardware_events": {
"query": "SELECT * FROM hardware_events;",
"interval": 300,
"description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.",
"removed": false
},
"homebrew_packages": {
"query": "SELECT * FROM homebrew_packages;",
"interval": 3600,
"description": "The installed homebrew package database."
},
"homebrew_packages_snapshot": {
"query": "SELECT name, version FROM homebrew_packages;",
"interval": 28800,
"description": "The installed homebrew package database.",
"snapshot": true
},
"installed_applications": {
"query": "SELECT * FROM apps;",
"interval": 3600,
"description": "OS X applications installed in known search paths (e.g., /Applications)."
},
"installed_applications_snapshot": {
"query": "SELECT name, path, bundle_short_version, bundle_version, display_name FROM apps;",
"interval": 28800,
"description": "Snapshot query for installed_applications",
"snapshot": true
},
"ip_forwarding_enabled": {
"query": "SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE '%ip%' AND current_value=1;",
"interval": 28800,
"description": "Discover hosts that have IP forwarding enabled",
"removed": false
},
"last": {
"query": "SELECT * FROM last;",
"interval": 3600,
"description": "System logins and logouts.",
"removed": false
},
"launchd": {
"query": "SELECT * FROM launchd;",
"interval": 3600,
"description": "LaunchAgents and LaunchDaemons from default search paths."
},
"launchd_snapshot": {
"query": "SELECT path, name, label, program, run_at_load, program_arguments FROM launchd WHERE run_at_load=1;",
"interval": 28800,
"description": "Snapshot query for launchd",
"snapshot": true
},
"ld_preload": {
"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
"interval": 60,
"description": "Detect the presence of the LD_PRELOAD environment variable",
"removed": false
},
"macosx_kextstat": {
"query": "SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
"interval": 3600,
"description": "List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple)"
},
"macosx_kextstat_snapshot": {
"query": "SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
"interval": 28800,
"description": "Snapshot query for macosx_kextstat",
"snapshot": true
},
"mounts": {
"query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
"interval": 3600,
"description": "System mounted devices and filesystems (not process specific).",
"removed": false
},
"network_interfaces_snapshot": {
"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
"interval": 600,
"description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.",
"snapshot": true
},
"nfs_shares": {
"query": "SELECT * FROM nfs_shares;",
"interval": 3600,
"description": "NFS shares exported by the host.",
"removed": false
},
"nvram": {
"query": "SELECT * FROM nvram;",
"interval": 3600,
"description": "Apple NVRAM variable listing.",
"removed": false
},
"os_version": {
"query": "SELECT * FROM os_version;",
"interval": 28800,
"description": "List the version of the resident operating system"
},
"os_version_snapshot": {
"query": "SELECT * FROM os_version;",
"interval": 28800,
"description": "Operating system version snapshot query",
"snapshot": true
},
"osquery_info": {
"query": "SELECT * FROM osquery_info;",
"interval": 28800,
"description": "Information about the resident osquery process",
"snapshot": true
},
"platform_info": {
"query": "SELECT * FROM platform_info;",
"interval": 28800,
"description": "Information about EFI/UEFI/ROM and platform/boot.",
"removed": false
},
"platform_info_snapshot": {
"query": "SELECT vendor, version, date, revision from platform_info;",
"interval": 28800,
"description": "Platform info snapshot query"
},
"python_packages": {
"query": "SELECT * FROM python_packages;",
"interval": 3600,
"description": "Python packages installed in a system."
},
"rc.common": {
"query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
"interval": 3600,
"description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence."
},
"rc.common_snapshot": {
"query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
"interval": 28800,
"description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence.",
"snapshot": true
},
"safari_extensions": {
"query": "SELECT * FROM users CROSS JOIN safari_extensions USING (uid);",
"interval": 3600,
"description": "Safari browser extension details for all users."
},
"sip_config": {
"query": "SELECT * FROM sip_config;",
"interval": 3600,
"description": "Apple's System Integrity Protection (rootless) status."
},
"startup_items": {
"query": "SELECT * FROM startup_items;",
"interval": 3600,
"description": "Applications and binaries set as user/login startup items."
},
"suid_bin": {
"query": "SELECT * FROM suid_bin;",
"interval": 28800,
"description": "suid binaries in common locations.",
"removed": false
},
"uptime": {
"query": "SELECT * FROM uptime;",
"interval": 1800,
"description": "System uptime",
"snapshot": true
},
"usb_devices": {
"query": "SELECT * FROM usb_devices;",
"interval": 300,
"description": "USB devices that are actively plugged into the host system."
},
"user_ssh_keys": {
"query": "SELECT * FROM users JOIN user_ssh_keys USING (uid);",
"interval": 3600,
"description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.",
"removed": false
},
"users": {
"query": "SELECT * FROM users;",
"interval": 28800,
"description": "Local system users."
},
"users_snapshot": {
"query": "SELECT * FROM users;",
"interval": 28800,
"description": "Local system users."
},
"wifi_status_snapshot": {
"query": "SELECT * FROM wifi_status;",
"interval": 28800,
"description": "Shows information about the wifi network that a host is currently connected to.",
"snapshot": true
},
"wireless_networks": {
"query": "SELECT ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile FROM wifi_networks;",
"interval": 28800,
"description": "OS X known/remembered Wi-Fi networks list.",
"removed": false
}
},
"packs": {
"osx-attacks": "/var/osquery/packs/osx-attacks.conf",
"performance-metrics": "/var/osquery/packs/performance-metrics.conf",
"security-tooling-checks": "/var/osquery/packs/security-tooling-checks.conf",
"unwanted-chrome-extensions": "/var/osquery/packs/unwanted-chrome-extensions.conf"
},
"file_paths": {
"configuration": [
"/etc/%%"
],
"binaries": [
"/usr/bin/%%",
"/usr/sbin/%%",
"/bin/%%",
"/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%",
"/opt/bin/%%",
"/opt/sbin/%%"
],
"efi": [
"/System/Library/CoreServices/boot.efi"
]
}
}