Fleet Module - Adding some Rule Packs

2025-12-19 23:43:07 +01:00 · 2019-01-24 10:41:40 -05:00
parent 49357f4947
commit ff900d1dc6
13 changed files with 3126 additions and 0 deletions
--- a/salt/fleet/packs/palantir/Fleet/Servers/Linux/osquery.yaml
+++ b/salt/fleet/packs/palantir/Fleet/Servers/Linux/osquery.yaml
@@ -0,0 +1,596 @@
+---
+apiVersion: v1
+kind: pack
+spec:
+  name: LinuxPack
+  queries:
+  - description: Retrieves all the jobs scheduled in crontab in the target system.
+    interval: 0
+    name: crontab_snapshot
+    platform: linux
+    query: crontab_snapshot
+    snapshot: true
+  - description: Various Linux kernel integrity checked attributes.
+    interval: 0
+    name: kernel_integrity
+    platform: linux
+    query: kernel_integrity
+  - description: Linux kernel modules both loaded and within the load search path.
+    interval: 0
+    name: kernel_modules
+    platform: linux
+    query: kernel_modules
+  - description: Retrieves the current list of mounted drives in the target system.
+    interval: 0
+    name: mounts
+    platform: linux
+    query: mounts
+  - description: The percentage of total CPU time (system+user) consumed by osqueryd
+    interval: 0
+    name: osquery_cpu_pct
+    platform: linux
+    query: osquery_cpu_pct
+    snapshot: true
+  - description: Socket events collected from the audit framework
+    interval: 0
+    name: socket_events
+    platform: linux
+    query: socket_events
+  - description: Record the network interfaces and their associated IP and MAC addresses
+    interval: 0
+    name: network_interfaces_snapshot
+    platform: linux
+    query: network_interfaces_snapshot
+    snapshot: true
+    version: 1.4.5
+  - description: Information about the running osquery configuration
+    interval: 0
+    name: osquery_info
+    platform: linux
+    query: osquery_info
+    snapshot: true
+  - description: Display all installed RPM packages
+    interval: 0
+    name: rpm_packages
+    platform: centos
+    query: rpm_packages
+    snapshot: true
+  - description: Record shell history for all users on system (instead of just root)
+    interval: 0
+    name: shell_history
+    platform: linux
+    query: shell_history
+  - description: File events collected from file integrity monitoring
+    interval: 0
+    name: file_events
+    platform: linux
+    query: file_events
+    removed: false
+  - description: Retrieve the EC2 metadata for this endpoint
+    interval: 0
+    name: ec2_instance_metadata
+    platform: linux
+    query: ec2_instance_metadata
+  - description: Retrieve the EC2 tags for this endpoint
+    interval: 0
+    name: ec2_instance_tags
+    platform: linux
+    query: ec2_instance_tags
+  - description: Snapshot query to retrieve the EC2 tags for this instance
+    interval: 0
+    name: ec2_instance_tags_snapshot
+    platform: linux
+    query: ec2_instance_tags_snapshot
+    snapshot: true
+  - description: Retrieves the current filters and chains per filter in the target
+      system.
+    interval: 0
+    name: iptables
+    platform: linux
+    query: iptables
+  - description: Display any SUID binaries that are owned by root
+    interval: 0
+    name: suid_bin
+    platform: linux
+    query: suid_bin
+  - description: Display all installed DEB packages
+    interval: 0
+    name: deb_packages
+    platform: ubuntu
+    query: deb_packages
+    snapshot: true
+  - description: Find shell processes that have open sockets
+    interval: 0
+    name: behavioral_reverse_shell
+    platform: linux
+    query: behavioral_reverse_shell
+  - description: Retrieves all the jobs scheduled in crontab in the target system.
+    interval: 0
+    name: crontab
+    platform: linux
+    query: crontab
+  - description: Records the system resources used by each query
+    interval: 0
+    name: per_query_perf
+    platform: linux
+    query: per_query_perf
+  - description: Records avg rate of socket events since daemon started
+    interval: 0
+    name: socket_rates
+    platform: linux
+    query: socket_rates
+    snapshot: true
+  - description: Local system users.
+    interval: 0
+    name: users
+    platform: linux
+    query: users
+  - description: Process events collected from the audit framework
+    interval: 0
+    name: process_events
+    platform: linux
+    query: process_events
+  - description: Retrieves the list of the latest logins with PID, username and timestamp.
+    interval: 0
+    name: last
+    platform: linux
+    query: last
+  - description: Any processes that run with an LD_PRELOAD environment variable
+    interval: 0
+    name: ld_preload
+    platform: linux
+    query: ld_preload
+  - description: Records avg rate of process events since daemon started
+    interval: 0
+    name: process_rates
+    platform: linux
+    query: process_rates
+    snapshot: true
+  - description: Information about the system hardware and name
+    interval: 0
+    name: system_info
+    platform: linux
+    query: system_info
+    snapshot: true
+  - description: Returns the private keys in the users ~/.ssh directory and whether
+      or not they are encrypted
+    interval: 0
+    name: user_ssh_keys
+    platform: linux
+    query: user_ssh_keys
+  - description: Local system users.
+    interval: 0
+    name: users_snapshot
+    platform: linux
+    query: users_snapshot
+    snapshot: true
+  - description: DNS resolvers used by the host
+    interval: 0
+    name: dns_resolvers
+    platform: linux
+    query: dns_resolvers
+  - description: Retrieves information from the current kernel in the target system.
+    interval: 0
+    name: kernel_info
+    platform: linux
+    query: kernel_info
+    snapshot: true
+  - description: Linux kernel modules both loaded and within the load search path.
+    interval: 0
+    name: kernel_modules_snapshot
+    platform: linux
+    query: kernel_modules_snapshot
+    snapshot: true
+  - description: Generates an event if ld.so.preload is present - used by rootkits
+      such as Jynx
+    interval: 0
+    name: ld_so_preload_exists
+    platform: linux
+    query: ld_so_preload_exists
+    snapshot: true
+  - description: Records system/user time, db size, and many other system metrics
+    interval: 0
+    name: runtime_perf
+    platform: linux
+    query: runtime_perf
+  - description: Retrieves all the entries in the target system /etc/hosts file.
+    interval: 0
+    name: etc_hosts_snapshot
+    platform: linux
+    query: etc_hosts_snapshot
+    snapshot: true
+  - description: Snapshot query to retrieve the EC2 metadata for this endpoint
+    interval: 0
+    name: ec2_instance_metadata_snapshot
+    platform: linux
+    query: ec2_instance_metadata_snapshot
+    snapshot: true
+  - description: ""
+    interval: 0
+    name: hardware_events
+    platform: linux
+    query: hardware_events
+    removed: false
+  - description: Information about memory usage on the system
+    interval: 0
+    name: memory_info
+    platform: linux
+    query: memory_info
+  - description: Displays information from /proc/stat file about the time the CPU
+      cores spent in different parts of the system
+    interval: 0
+    name: cpu_time
+    platform: linux
+    query: cpu_time
+  - description: Retrieves all the entries in the target system /etc/hosts file.
+    interval: 0
+    name: etc_hosts
+    platform: linux
+    query: etc_hosts
+  - description: Retrieves information from the Operating System where osquery is
+      currently running.
+    interval: 0
+    name: os_version
+    platform: linux
+    query: os_version
+    snapshot: true
+  - description: A snapshot of all processes running on the host. Useful for outlier
+      analysis.
+    interval: 0
+    name: processes_snapshot
+    platform: linux
+    query: processes_snapshot
+    snapshot: true
+  - description: Retrieves the current list of USB devices in the target system.
+    interval: 0
+    name: usb_devices
+    platform: linux
+    query: usb_devices
+  - description: A line-delimited authorized_keys table.
+    interval: 0
+    name: authorized_keys
+    platform: linux
+    query: authorized_keys
+  targets:
+    labels: null
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves all the jobs scheduled in crontab in the target system.
+  name: crontab_snapshot
+  query: SELECT * FROM crontab;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Various Linux kernel integrity checked attributes.
+  name: kernel_integrity
+  query: SELECT * FROM kernel_integrity;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Linux kernel modules both loaded and within the load search path.
+  name: kernel_modules
+  query: SELECT * FROM kernel_modules;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves the current list of mounted drives in the target system.
+  name: mounts
+  query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: The percentage of total CPU time (system+user) consumed by osqueryd
+  name: osquery_cpu_pct
+  query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
+    processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time
+    FROM processes WHERE name='osqueryd');
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Socket events collected from the audit framework
+  name: socket_events
+  query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address,
+    remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN
+    ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254',
+    '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001',
+    'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Record the network interfaces and their associated IP and MAC addresses
+  name: network_interfaces_snapshot
+  query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
+    d USING (interface);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Information about the running osquery configuration
+  name: osquery_info
+  query: SELECT * FROM osquery_info;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Display all installed RPM packages
+  name: rpm_packages
+  query: SELECT name, version, release, arch FROM rpm_packages;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Record shell history for all users on system (instead of just root)
+  name: shell_history
+  query: SELECT * FROM users JOIN shell_history USING (uid);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: File events collected from file integrity monitoring
+  name: file_events
+  query: SELECT * FROM file_events;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieve the EC2 metadata for this endpoint
+  name: ec2_instance_metadata
+  query: SELECT * FROM ec2_instance_metadata;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieve the EC2 tags for this endpoint
+  name: ec2_instance_tags
+  query: SELECT * FROM ec2_instance_tags;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Snapshot query to retrieve the EC2 tags for this instance
+  name: ec2_instance_tags_snapshot
+  query: SELECT * FROM ec2_instance_tags;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves the current filters and chains per filter in the target system.
+  name: iptables
+  query: SELECT * FROM iptables;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Display any SUID binaries that are owned by root
+  name: suid_bin
+  query: SELECT * FROM suid_bin;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Display all installed DEB packages
+  name: deb_packages
+  query: SELECT * FROM deb_packages;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Find shell processes that have open sockets
+  name: behavioral_reverse_shell
+  query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path,
+    processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid,
+    processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port,
+    (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS
+    parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER
+    JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh'
+    OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address
+    NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves all the jobs scheduled in crontab in the target system.
+  name: crontab
+  query: SELECT * FROM crontab;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Records the system resources used by each query
+  name: per_query_perf
+  query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
+    AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
+    FROM osquery_schedule;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Records avg rate of socket events since daemon started
+  name: socket_rates
+  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now')
+    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Local system users.
+  name: users
+  query: SELECT * FROM users;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Process events collected from the audit framework
+  name: process_events
+  query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time,
+    uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk',
+    '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq',
+    '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline
+    NOT LIKE '%secret%';
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves the list of the latest logins with PID, username and timestamp.
+  name: last
+  query: SELECT * FROM last;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Any processes that run with an LD_PRELOAD environment variable
+  name: ld_preload
+  query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name,
+    processes.path, processes.cmdline, processes.cwd FROM process_envs join processes
+    USING (pid) WHERE key = 'LD_PRELOAD';
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Records avg rate of process events since daemon started
+  name: process_rates
+  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now')
+    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Information about the system hardware and name
+  name: system_info
+  query: SELECT * FROM system_info;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Returns the private keys in the users ~/.ssh directory and whether
+    or not they are encrypted
+  name: user_ssh_keys
+  query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Local system users.
+  name: users_snapshot
+  query: SELECT * FROM users;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: DNS resolvers used by the host
+  name: dns_resolvers
+  query: SELECT * FROM dns_resolvers;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves information from the current kernel in the target system.
+  name: kernel_info
+  query: SELECT * FROM kernel_info;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Linux kernel modules both loaded and within the load search path.
+  name: kernel_modules_snapshot
+  query: SELECT * FROM kernel_modules;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Generates an event if ld.so.preload is present - used by rootkits such
+    as Jynx
+  name: ld_so_preload_exists
+  query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Records system/user time, db size, and many other system metrics
+  name: runtime_perf
+  query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename
+    AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes
+    AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov,
+    processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT
+    value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE
+    path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves all the entries in the target system /etc/hosts file.
+  name: etc_hosts_snapshot
+  query: SELECT * FROM etc_hosts;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Snapshot query to retrieve the EC2 metadata for this endpoint
+  name: ec2_instance_metadata_snapshot
+  query: SELECT * FROM ec2_instance_metadata;
+---
+apiVersion: v1
+kind: query
+spec:
+  name: hardware_events
+  query: SELECT * FROM hardware_events;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Information about memory usage on the system
+  name: memory_info
+  query: SELECT * FROM memory_info;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Displays information from /proc/stat file about the time the CPU cores
+    spent in different parts of the system
+  name: cpu_time
+  query: SELECT * FROM cpu_time;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves all the entries in the target system /etc/hosts file.
+  name: etc_hosts
+  query: SELECT * FROM etc_hosts;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves information from the Operating System where osquery is currently
+    running.
+  name: os_version
+  query: SELECT * FROM os_version;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: A snapshot of all processes running on the host. Useful for outlier
+    analysis.
+  name: processes_snapshot
+  query: select name, path, cmdline, cwd, on_disk from processes;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: Retrieves the current list of USB devices in the target system.
+  name: usb_devices
+  query: SELECT * FROM usb_devices;
+---
+apiVersion: v1
+kind: query
+spec:
+  description: A line-delimited authorized_keys table.
+  name: authorized_keys
+  query: SELECT * FROM users JOIN authorized_keys USING (uid);