CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-16 22:12:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fleet Module - Adding some Rule Packs

Browse Source
This commit is contained in:
Mike Reeves
2019-01-24 10:41:40 -05:00
parent 49357f4947
commit ff900d1dc6
13 changed files with 3126 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

694
salt/fleet/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml Normal file
View File

@@ -0,0 +1,694 @@
---
apiVersion: v1
kind: pack
spec:
name: mac-pack
queries:
- description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/
which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
interval: 3600
name: emond
platform: darwin
query: emond
- description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/
or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
interval: 28800
name: emond_snapshot
platform: darwin
query: emond_snapshot
snapshot: true
- description: Track time/action changes to files specified in configuration data.
interval: 300
name: file_events
platform: darwin
query: file_events
removed: false
- description: The installed homebrew package database.
interval: 28800
name: homebrew_packages_snapshot
platform: darwin
query: homebrew_packages_snapshot
snapshot: true
- description: List kernel extensions, their signing status, and their hashes (excluding
extensions signed by Apple)
interval: 3600
name: macosx_kextstat
platform: darwin
query: macosx_kextstat
- description: Checks the MD5 hash of /etc/rc.common and records the results if
the hash differs from the default value. /etc/rc.common can be used for persistence.
interval: 3600
name: rc.common
platform: darwin
query: rc.common
- description: Returns information about installed event taps. Can be used to detect
keyloggers
interval: 300
name: event_taps
platform: darwin
query: event_taps
- description: LaunchAgents and LaunchDaemons from default search paths.
interval: 3600
name: launchd
platform: darwin
query: launchd
- description: Snapshot query for launchd
interval: 28800
name: launchd_snapshot
platform: darwin
query: launchd_snapshot
snapshot: true
- description: Detect the presence of the LD_PRELOAD environment variable
interval: 60
name: ld_preload
platform: darwin
query: ld_preload
removed: false
- description: USB devices that are actively plugged into the host system.
interval: 300
name: usb_devices
platform: darwin
query: usb_devices
- description: System mounted devices and filesystems (not process specific).
interval: 3600
name: mounts
platform: darwin
query: mounts
removed: false
- description: Apple NVRAM variable listing.
interval: 3600
name: nvram
platform: darwin
query: nvram
removed: false
- description: Line parsed values from system and user cron/tab.
interval: 3600
name: crontab
platform: darwin
query: crontab
- description: Hardware (PCI/USB/HID) events from UDEV or IOKit.
interval: 300
name: hardware_events
platform: darwin
query: hardware_events
removed: false
- description: The installed homebrew package database.
interval: 3600
name: homebrew_packages
platform: darwin
query: homebrew_packages
- description: OS X applications installed in known search paths (e.g., /Applications).
interval: 3600
name: installed_applications
platform: darwin
query: installed_applications
- description: System logins and logouts.
interval: 3600
name: last
platform: darwin
query: last
removed: false
- description: Snapshot query for macosx_kextstat
interval: 28800
name: macosx_kextstat_snapshot
platform: darwin
query: macosx_kextstat_snapshot
snapshot: true
- description: Checks the MD5 hash of /etc/rc.common and records the results if
the hash differs from the default value. /etc/rc.common can be used for persistence.
interval: 28800
name: rc.common_snapshot
platform: darwin
query: rc.common_snapshot
snapshot: true
- description: Safari browser extension details for all users.
interval: 3600
name: safari_extensions
platform: darwin
query: safari_extensions
- description: suid binaries in common locations.
interval: 28800
name: suid_bin
platform: darwin
query: suid_bin
removed: false
- description: Local system users.
interval: 28800
name: users
platform: darwin
query: users
- description: List authorized_keys for each user on the system
interval: 28800
name: authorized_keys
platform: darwin
query: authorized_keys
- description: Application, System, and Mobile App crash logs.
interval: 3600
name: crashes
platform: darwin
query: crashes
removed: false
- description: Displays the percentage of free space available on the primary disk
partition
interval: 3600
name: disk_free_space_pct
platform: darwin
query: disk_free_space_pct
snapshot: true
- description: Retrieve the interface name, IP address, and MAC address for all
interfaces on the host.
interval: 600
name: network_interfaces_snapshot
platform: darwin
query: network_interfaces_snapshot
snapshot: true
- description: Information about EFI/UEFI/ROM and platform/boot.
interval: 28800
name: platform_info
platform: darwin
query: platform_info
removed: false
- description: System uptime
interval: 1800
name: uptime
platform: darwin
query: uptime
snapshot: true
- description: MD5 hash of boot.efi
interval: 28800
name: boot_efi_hash
platform: darwin
query: boot_efi_hash
- description: Snapshot query for Chrome extensions
interval: 28800
name: chrome_extensions_snapshot
platform: darwin
query: chrome_extensions_snapshot
- description: Snapshot query for installed_applications
interval: 28800
name: installed_applications_snapshot
platform: darwin
query: installed_applications_snapshot
snapshot: true
- description: NFS shares exported by the host.
interval: 3600
name: nfs_shares
platform: darwin
query: nfs_shares
removed: false
- description: List the version of the resident operating system
interval: 28800
name: os_version
platform: darwin
query: os_version
- description: Applications and binaries set as user/login startup items.
interval: 3600
name: startup_items
platform: darwin
query: startup_items
- description: All C/NPAPI browser plugin details for all users.
interval: 3600
name: browser_plugins
platform: darwin
query: browser_plugins
- description: List installed Firefox addons for all users
interval: 3600
name: firefox_addons
platform: darwin
query: firefox_addons
- description: Discover hosts that have IP forwarding enabled
interval: 28800
name: ip_forwarding_enabled
platform: darwin
query: ip_forwarding_enabled
removed: false
- description: Platform info snapshot query
interval: 28800
name: platform_info_snapshot
platform: darwin
query: platform_info_snapshot
- description: Python packages installed in a system.
interval: 3600
name: python_packages
platform: darwin
query: python_packages
- description: List installed Chrome Extensions for all users
interval: 3600
name: chrome_extensions
platform: darwin
query: chrome_extensions
- description: Disk encryption status and information.
interval: 3600
name: disk_encryption
platform: darwin
query: disk_encryption
- description: Local system users.
interval: 28800
name: users_snapshot
platform: darwin
query: users_snapshot
- description: OS X known/remembered Wi-Fi networks list.
interval: 28800
name: wireless_networks
platform: darwin
query: wireless_networks
removed: false
- description: Determine if the host is running the expected EFI firmware version
given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)
interval: 28800
name: efigy
platform: darwin
query: efigy
snapshot: true
- description: List the contents of /etc/hosts
interval: 28800
name: etc_hosts
platform: darwin
query: etc_hosts
- description: Operating system version snapshot query
interval: 28800
name: os_version_snapshot
platform: darwin
query: os_version_snapshot
snapshot: true
- description: Information about the resident osquery process
interval: 28800
name: osquery_info
platform: darwin
query: osquery_info
snapshot: true
- description: Apple's System Integrity Protection (rootless) status.
interval: 3600
name: sip_config
platform: darwin
query: sip_config
- description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
interval: 3600
name: user_ssh_keys
platform: darwin
query: user_ssh_keys
removed: false
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/
which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
name: emond
query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%'
AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6'
AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5'
AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND
sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND
sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND
sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND
sha256!='') OR (path LIKE '/private/var/db/emondClients/%');
---
apiVersion: v1
kind: query
spec:
description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/
or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
name: emond_snapshot
query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%'
AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6'
AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5'
AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND
sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND
sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND
sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND
sha256!='') OR (path LIKE '/private/var/db/emondClients/%');
---
apiVersion: v1
kind: query
spec:
description: Track time/action changes to files specified in configuration data.
name: file_events
query: SELECT * FROM file_events;
---
apiVersion: v1
kind: query
spec:
description: The installed homebrew package database.
name: homebrew_packages_snapshot
query: SELECT name, version FROM homebrew_packages;
---
apiVersion: v1
kind: query
spec:
description: List kernel extensions, their signing status, and their hashes (excluding
extensions signed by Apple)
name: macosx_kextstat
query: SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size,
kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against,
kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash,
signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions
ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature
ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE
signature.authority!='Software Signing';
---
apiVersion: v1
kind: query
spec:
description: Checks the MD5 hash of /etc/rc.common and records the results if the
hash differs from the default value. /etc/rc.common can be used for persistence.
name: rc.common
query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9'
and md5!='';
---
apiVersion: v1
kind: query
spec:
description: Returns information about installed event taps. Can be used to detect
keyloggers
name: event_taps
query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process
= processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE
'%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber'
AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd'
AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%'
AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%'
AND event_taps.enabled=1;
---
apiVersion: v1
kind: query
spec:
description: LaunchAgents and LaunchDaemons from default search paths.
name: launchd
query: SELECT * FROM launchd;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for launchd
name: launchd_snapshot
query: SELECT path, name, label, program, run_at_load, program_arguments FROM launchd
WHERE run_at_load=1;
---
apiVersion: v1
kind: query
spec:
description: Detect the presence of the LD_PRELOAD environment variable
name: ld_preload
query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name,
processes.path, processes.cmdline, processes.cwd FROM process_envs join processes
USING (pid) WHERE key = 'LD_PRELOAD';
---
apiVersion: v1
kind: query
spec:
description: USB devices that are actively plugged into the host system.
name: usb_devices
query: SELECT * FROM usb_devices;
---
apiVersion: v1
kind: query
spec:
description: System mounted devices and filesystems (not process specific).
name: mounts
query: SELECT device, device_alias, path, type, blocks_size FROM mounts;
---
apiVersion: v1
kind: query
spec:
description: Apple NVRAM variable listing.
name: nvram
query: SELECT * FROM nvram;
---
apiVersion: v1
kind: query
spec:
description: Line parsed values from system and user cron/tab.
name: crontab
query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
description: Hardware (PCI/USB/HID) events from UDEV or IOKit.
name: hardware_events
query: SELECT * FROM hardware_events;
---
apiVersion: v1
kind: query
spec:
description: The installed homebrew package database.
name: homebrew_packages
query: SELECT * FROM homebrew_packages;
---
apiVersion: v1
kind: query
spec:
description: OS X applications installed in known search paths (e.g., /Applications).
name: installed_applications
query: SELECT * FROM apps;
---
apiVersion: v1
kind: query
spec:
description: System logins and logouts.
name: last
query: SELECT * FROM last;
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for macosx_kextstat
name: macosx_kextstat_snapshot
query: SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path,
signature.signed, signature.identifier, signature.cdhash, signature.team_identifier,
signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE
printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path
LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software
Signing';
---
apiVersion: v1
kind: query
spec:
description: Checks the MD5 hash of /etc/rc.common and records the results if the
hash differs from the default value. /etc/rc.common can be used for persistence.
name: rc.common_snapshot
query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9'
and md5!='';
---
apiVersion: v1
kind: query
spec:
description: Safari browser extension details for all users.
name: safari_extensions
query: SELECT * FROM users JOIN safari_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: suid binaries in common locations.
name: suid_bin
query: SELECT * FROM suid_bin;
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: List authorized_keys for each user on the system
name: authorized_keys
query: SELECT * FROM users JOIN authorized_keys USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Application, System, and Mobile App crash logs.
name: crashes
query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path
FROM users JOIN crashes USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Displays the percentage of free space available on the primary disk
partition
name: disk_free_space_pct
query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1';
---
apiVersion: v1
kind: query
spec:
description: Retrieve the interface name, IP address, and MAC address for all interfaces
on the host.
name: network_interfaces_snapshot
query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
d USING (interface);
---
apiVersion: v1
kind: query
spec:
description: Information about EFI/UEFI/ROM and platform/boot.
name: platform_info
query: SELECT * FROM platform_info;
---
apiVersion: v1
kind: query
spec:
description: System uptime
name: uptime
query: SELECT * FROM uptime;
---
apiVersion: v1
kind: query
spec:
description: MD5 hash of boot.efi
name: boot_efi_hash
query: SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for Chrome extensions
name: chrome_extensions_snapshot
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Snapshot query for installed_applications
name: installed_applications_snapshot
query: SELECT name, path, bundle_short_version, bundle_version, display_name FROM
apps;
---
apiVersion: v1
kind: query
spec:
description: NFS shares exported by the host.
name: nfs_shares
query: SELECT * FROM nfs_shares;
---
apiVersion: v1
kind: query
spec:
description: List the version of the resident operating system
name: os_version
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: Applications and binaries set as user/login startup items.
name: startup_items
query: SELECT * FROM startup_items;
---
apiVersion: v1
kind: query
spec:
description: All C/NPAPI browser plugin details for all users.
name: browser_plugins
query: SELECT * FROM users JOIN browser_plugins USING (uid);
---
apiVersion: v1
kind: query
spec:
description: List installed Firefox addons for all users
name: firefox_addons
query: SELECT * FROM users JOIN firefox_addons USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Discover hosts that have IP forwarding enabled
name: ip_forwarding_enabled
query: SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE
'%ip%' AND current_value=1;
---
apiVersion: v1
kind: query
spec:
description: Platform info snapshot query
name: platform_info_snapshot
query: SELECT vendor, version, date, revision from platform_info;
---
apiVersion: v1
kind: query
spec:
description: Python packages installed in a system.
name: python_packages
query: SELECT * FROM python_packages;
---
apiVersion: v1
kind: query
spec:
description: List installed Chrome Extensions for all users
name: chrome_extensions
query: SELECT * FROM users JOIN chrome_extensions USING (uid);
---
apiVersion: v1
kind: query
spec:
description: Disk encryption status and information.
name: disk_encryption
query: SELECT * FROM disk_encryption;
---
apiVersion: v1
kind: query
spec:
description: Local system users.
name: users_snapshot
query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
description: OS X known/remembered Wi-Fi networks list.
name: wireless_networks
query: SELECT ssid, network_name, security_type, last_connected, captive_portal,
possibly_hidden, roaming, roaming_profile FROM wifi_networks;
---
apiVersion: v1
kind: query
spec:
description: Determine if the host is running the expected EFI firmware version
given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)
name: efigy
query: SELECT * FROM efigy;
---
apiVersion: v1
kind: query
spec:
description: List the contents of /etc/hosts
name: etc_hosts
query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
description: Operating system version snapshot query
name: os_version_snapshot
query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
description: Information about the resident osquery process
name: osquery_info
query: SELECT * FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
description: Apple's System Integrity Protection (rootless) status.
name: sip_config
query: SELECT * FROM sip_config;
---
apiVersion: v1
kind: query
spec:
description: Returns the private keys in the users ~/.ssh directory and whether
or not they are encrypted.
name: user_ssh_keys
query: SELECT * FROM users JOIN user_ssh_keys USING (uid);