-
Notifications
You must be signed in to change notification settings - Fork 119
/
Copy pathosquery.conf
executable file
·284 lines (284 loc) · 11.3 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
{
"options": {
"logger_snapshot_event_type": "true",
"schedule_splay_percent": 10
},
"platform": "linux",
"schedule": {
"process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": 10,
"description": "Process events collected from the audit framework"
},
"socket_events":{
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": 10,
"description": "Socket events collected from the audit framework"
},
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 10,
"description": "File events collected from file integrity monitoring",
"removed":false
},
"apt_sources": {
"query": "SELECT * FROM apt_sources;",
"interval": 86400,
"description": "Display apt package manager sources.",
"snapshot": true,
"platform": "ubuntu"
},
"authorized_keys": {
"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
"interval": 86400,
"description": "A line-delimited authorized_keys table."
},
"behavioral_reverse_shell": {
"query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
"interval": 600,
"description": "Find shell processes that have open sockets"
},
"cpu_time": {
"query": "SELECT * FROM cpu_time;",
"interval": 3600,
"description": "Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system"
},
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 3600,
"description": "Retrieves all the jobs scheduled in crontab in the target system."
},
"crontab_snapshot": {
"query": "SELECT * FROM crontab;",
"interval": 86400,
"description": "Retrieves all the jobs scheduled in crontab in the target system.",
"snapshot": true
},
"deb_packages": {
"query": "SELECT * FROM deb_packages;",
"interval": 86400,
"description": "Display all installed DEB packages",
"snapshot": true,
"platform": "ubuntu"
},
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "DNS resolvers used by the host"
},
"ec2_instance_metadata": {
"query": "SELECT * FROM ec2_instance_metadata;",
"interval": 3600,
"description": "Retrieve the EC2 metadata for this endpoint"
},
"ec2_instance_metadata_snapshot": {
"query": "SELECT * FROM ec2_instance_metadata;",
"interval": 86400,
"description": "Snapshot query to retrieve the EC2 metadata for this endpoint",
"snapshot": true
},
"ec2_instance_tags": {
"query": "SELECT * FROM ec2_instance_tags;",
"interval": 3600,
"description": "Retrieve the EC2 tags for this endpoint"
},
"ec2_instance_tags_snapshot": {
"query": "SELECT * FROM ec2_instance_tags;",
"interval": 86400,
"description": "Snapshot query to retrieve the EC2 tags for this instance",
"snapshot": true
},
"etc_hosts": {
"query": "SELECT * FROM etc_hosts;",
"interval": 3600,
"description": "Retrieves all the entries in the target system /etc/hosts file."
},
"etc_hosts_snapshot": {
"query": "SELECT * FROM etc_hosts;",
"interval": 86400,
"description": "Retrieves all the entries in the target system /etc/hosts file.",
"snapshot": true
},
"hardware_events": {
"query": "SELECT * FROM hardware_events;",
"interval": 10,
"removed":false
},
"iptables": {
"query": "SELECT * FROM iptables;",
"interval": 86400,
"platform": "linux",
"description": "Retrieves the current filters and chains per filter in the target system."
},
"kernel_info": {
"query": "SELECT * FROM kernel_info;",
"interval": 86400,
"description": "Retrieves information from the current kernel in the target system.",
"snapshot": true
},
"kernel_integrity": {
"query": "SELECT * FROM kernel_integrity;",
"interval": 86400,
"description": "Various Linux kernel integrity checked attributes."
},
"kernel_modules": {
"query": "SELECT * FROM kernel_modules;",
"interval": 3600,
"description": "Linux kernel modules both loaded and within the load search path."
},
"kernel_modules_snapshot": {
"query": "SELECT * FROM kernel_modules;",
"interval": 86400,
"description": "Linux kernel modules both loaded and within the load search path.",
"snapshot": true
},
"last": {
"query": "SELECT * FROM last;",
"interval": 3600,
"description": "Retrieves the list of the latest logins with PID, username and timestamp."
},
"ld_preload": {
"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
"interval": 60,
"description": "Any processes that run with an LD_PRELOAD environment variable",
"snapshot": true
},
"ld_so_preload_exists": {
"query": "SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';",
"interval": 3600,
"description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx",
"snapshot": true
},
"listening_ports": {
"query": "SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;",
"interval": 86400,
"description": "Gather information about processes that are listening on a socket.",
"snapshot": true
},
"memory_info": {
"query": "SELECT * FROM memory_info;",
"interval": 3600,
"description": "Information about memory usage on the system"
},
"mounts": {
"query": "SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;",
"interval": 86400,
"description": "Retrieves the current list of mounted drives in the target system."
},
"network_interfaces_snapshot": {
"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
"interval": 600,
"description": "Record the network interfaces and their associated IP and MAC addresses",
"snapshot": true
},
"os_version": {
"query": "SELECT * FROM os_version;",
"interval": 86400,
"description": "Retrieves information from the Operating System where osquery is currently running.",
"snapshot": true
},
"osquery_info": {
"query": "SELECT * FROM osquery_info;",
"interval": 86400,
"description": "Information about the running osquery configuration",
"snapshot": true
},
"processes_snapshot": {
"query": "select name, path, cmdline, cwd, on_disk from processes;",
"interval": 86400,
"description": "A snapshot of all processes running on the host. Useful for outlier analysis.",
"snapshot": true
},
"rpm_packages": {
"query": "SELECT name, version, release, arch FROM rpm_packages;",
"interval": 86400,
"description": "Display all installed RPM packages",
"snapshot": true,
"platform": "centos"
},
"runtime_perf": {
"query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;",
"interval": 1800,
"description": "Records system/user time, db size, and many other system metrics"
},
"shell_history": {
"query": "SELECT * FROM users CROSS JOIN shell_history USING (uid);",
"interval": 3600,
"description": "Record shell history for all users on system (instead of just root)"
},
"suid_bin": {
"query": "SELECT * FROM suid_bin;",
"interval": 86400,
"description": "Display any SUID binaries that are owned by root"
},
"system_info": {
"query": "SELECT * FROM system_info;",
"interval": 86400,
"description": "Information about the system hardware and name",
"snapshot": true
},
"usb_devices": {
"query": "SELECT * FROM usb_devices;",
"interval": 120,
"description": "Retrieves the current list of USB devices in the target system."
},
"user_ssh_keys": {
"query": "SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);",
"interval": 86400,
"description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted"
},
"users": {
"query": "SELECT * FROM users;",
"interval": 86400,
"description": "Local system users."
},
"users_snapshot": {
"query": "SELECT * FROM users;",
"interval": 86400,
"description": "Local system users.",
"snapshot": true
},
"yum_sources": {
"query": "SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;",
"interval": 86400,
"description": "Display yum package manager sources",
"snapshot": true,
"platform": "centos"
}
},
"file_paths": {
"configuration": [
"/etc/passwd",
"/etc/shadow",
"/etc/ld.so.preload",
"/etc/ld.so.conf",
"/etc/ld.so.conf.d/%%",
"/etc/pam.d/%%",
"/etc/resolv.conf",
"/etc/rc%/%%",
"/etc/my.cnf",
"/etc/modules",
"/etc/hosts",
"/etc/hostname",
"/etc/fstab",
"/etc/crontab",
"/etc/cron%/%%",
"/etc/init/%%",
"/etc/rsyslog.conf"
],
"binaries": [
"/usr/bin/%%",
"/usr/sbin/%%",
"/bin/%%",
"/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%"
]
},
"events": {
"disable_subscribers": ["user_events"]
},
"packs": {
"ossec-rootkit": "/etc/osquery/packs/ossec-rootkit.conf"
}
}