-
Notifications
You must be signed in to change notification settings - Fork 129
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
artif: add osquery.yaml which includes 17 custom queries relevant to …
…linux live response
- Loading branch information
1 parent
bdb96c1
commit a9af5a4
Showing
1 changed file
with
105 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| version: 1.0 | ||
| output_directory: /osquery | ||
| artifacts: | ||
| - | ||
| description: Collect local users in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM users;' | ||
| output_file: users.json | ||
| - | ||
| description: Collect rpm packages in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM rpm_packages;' | ||
| output_file: rpm_packages.json | ||
| - | ||
| description: Collect processes in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT p.path, p.name, p.cmdline, p.on_disk, p.uid, u.username, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN hash AS h ON p.path = h.path LEFT JOIN users AS u ON p.uid = u.uid;' | ||
| output_file: processes.json | ||
| - | ||
| description: Collect startup items in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM startup_items;' | ||
| output_file: startup_items.json | ||
| - | ||
| description: Collect systemd units in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM systemd_units;' | ||
| output_file: systemd_units.json | ||
| - | ||
| description: Collect crontab in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM crontab;' | ||
| output_file: crontab.json | ||
| - | ||
| description: Collect etc_hosts in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM etc_hosts;' | ||
| output_file: etc_hosts.json | ||
| - | ||
| description: Collect kernel modules in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM kernel_modules;' | ||
| output_file: kernel_modules.json | ||
| - | ||
| description: Collect mounts in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM mounts;' | ||
| output_file: mounts.json | ||
| - | ||
| description: Collect suid bin in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM suid_bin;' | ||
| output_file: suid_bin.json | ||
| - | ||
| description: Collect process memory map in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM process_memory_map;' | ||
| output_file: process_memory_map.json | ||
| - | ||
| description: Collect arp cache in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM arp_cache;' | ||
| output_file: arp_cache.json | ||
| - | ||
| description: Collect yum sources in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM yum_sources;' | ||
| output_file: yum_sources.json | ||
| - | ||
| description: Collect dns resolvers in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT * FROM dns_resolvers;' | ||
| output_file: dns_resolvers.json | ||
| - | ||
| description: Collect process open sockets in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT DISTINCT p.pid, p.name AS process_name, p.cmdline AS command_line, p.uid AS user_id, u.username AS username, s.local_address, s.local_port, s.remote_address, s.remote_port, s.path FROM process_open_sockets AS s LEFT JOIN processes AS p ON s.pid = p.pid LEFT JOIN users AS u ON p.uid = u.uid;' | ||
| output_file: process_open_sockets.json | ||
| - | ||
| description: Collect process open files in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT DISTINCT o.path AS file, o.pid, p.name AS process_name, p.cmdline, p.uid, u.username FROM process_open_files AS o LEFT JOIN processes AS p ON o.pid = p.pid LEFT JOIN users AS u ON p.uid = u.uid;' | ||
| output_file: process_open_files.json | ||
| - | ||
| description: Collect authorized keys in json format | ||
| supported_os: [linux] | ||
| collector: command | ||
| command: osqueryi --json 'SELECT a.key_file, a.key, a.algorithm, u.uid, u.username FROM authorized_keys AS a LEFT JOIN users AS u ON u.uid = a.uid;' | ||
| output_file: authorized_keys.json |