--- apiVersion: v1 kind: pack spec: name: LinuxPack queries: - description: Retrieves all the jobs scheduled in crontab in the target system. interval: 0 name: crontab_snapshot platform: linux query: crontab_snapshot snapshot: true - description: Various Linux kernel integrity checked attributes. interval: 0 name: kernel_integrity platform: linux query: kernel_integrity - description: Linux kernel modules both loaded and within the load search path. interval: 0 name: kernel_modules platform: linux query: kernel_modules - description: Retrieves the current list of mounted drives in the target system. interval: 0 name: mounts platform: linux query: mounts - description: The percentage of total CPU time (system+user) consumed by osqueryd interval: 0 name: osquery_cpu_pct platform: linux query: osquery_cpu_pct snapshot: true - description: Socket events collected from the audit framework interval: 0 name: socket_events platform: linux query: socket_events - description: Record the network interfaces and their associated IP and MAC addresses interval: 0 name: network_interfaces_snapshot platform: linux query: network_interfaces_snapshot snapshot: true version: 1.4.5 - description: Information about the running osquery configuration interval: 0 name: osquery_info platform: linux query: osquery_info snapshot: true - description: Display all installed RPM packages interval: 0 name: rpm_packages platform: centos query: rpm_packages snapshot: true - description: Record shell history for all users on system (instead of just root) interval: 0 name: shell_history platform: linux query: shell_history - description: File events collected from file integrity monitoring interval: 0 name: file_events platform: linux query: file_events removed: false - description: Retrieve the EC2 metadata for this endpoint interval: 0 name: ec2_instance_metadata platform: linux query: ec2_instance_metadata - description: Retrieve the EC2 tags for this endpoint interval: 0 name: ec2_instance_tags platform: linux query: ec2_instance_tags - description: Snapshot query to retrieve the EC2 tags for this instance interval: 0 name: ec2_instance_tags_snapshot platform: linux query: ec2_instance_tags_snapshot snapshot: true - description: Retrieves the current filters and chains per filter in the target system. interval: 0 name: iptables platform: linux query: iptables - description: Display any SUID binaries that are owned by root interval: 0 name: suid_bin platform: linux query: suid_bin - description: Display all installed DEB packages interval: 0 name: deb_packages platform: ubuntu query: deb_packages snapshot: true - description: Find shell processes that have open sockets interval: 0 name: behavioral_reverse_shell platform: linux query: behavioral_reverse_shell - description: Retrieves all the jobs scheduled in crontab in the target system. interval: 0 name: crontab platform: linux query: crontab - description: Records the system resources used by each query interval: 0 name: per_query_perf platform: linux query: per_query_perf - description: Records avg rate of socket events since daemon started interval: 0 name: socket_rates platform: linux query: socket_rates snapshot: true - description: Local system users. interval: 0 name: users platform: linux query: users - description: Process events collected from the audit framework interval: 0 name: process_events platform: linux query: process_events - description: Retrieves the list of the latest logins with PID, username and timestamp. interval: 0 name: last platform: linux query: last - description: Any processes that run with an LD_PRELOAD environment variable interval: 0 name: ld_preload platform: linux query: ld_preload - description: Records avg rate of process events since daemon started interval: 0 name: process_rates platform: linux query: process_rates snapshot: true - description: Information about the system hardware and name interval: 0 name: system_info platform: linux query: system_info snapshot: true - description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted interval: 0 name: user_ssh_keys platform: linux query: user_ssh_keys - description: Local system users. interval: 0 name: users_snapshot platform: linux query: users_snapshot snapshot: true - description: DNS resolvers used by the host interval: 0 name: dns_resolvers platform: linux query: dns_resolvers - description: Retrieves information from the current kernel in the target system. interval: 0 name: kernel_info platform: linux query: kernel_info snapshot: true - description: Linux kernel modules both loaded and within the load search path. interval: 0 name: kernel_modules_snapshot platform: linux query: kernel_modules_snapshot snapshot: true - description: Generates an event if ld.so.preload is present - used by rootkits such as Jynx interval: 0 name: ld_so_preload_exists platform: linux query: ld_so_preload_exists snapshot: true - description: Records system/user time, db size, and many other system metrics interval: 0 name: runtime_perf platform: linux query: runtime_perf - description: Retrieves all the entries in the target system /etc/hosts file. interval: 0 name: etc_hosts_snapshot platform: linux query: etc_hosts_snapshot snapshot: true - description: Snapshot query to retrieve the EC2 metadata for this endpoint interval: 0 name: ec2_instance_metadata_snapshot platform: linux query: ec2_instance_metadata_snapshot snapshot: true - description: "" interval: 0 name: hardware_events platform: linux query: hardware_events removed: false - description: Information about memory usage on the system interval: 0 name: memory_info platform: linux query: memory_info - description: Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system interval: 0 name: cpu_time platform: linux query: cpu_time - description: Retrieves all the entries in the target system /etc/hosts file. interval: 0 name: etc_hosts platform: linux query: etc_hosts - description: Retrieves information from the Operating System where osquery is currently running. interval: 0 name: os_version platform: linux query: os_version snapshot: true - description: A snapshot of all processes running on the host. Useful for outlier analysis. interval: 0 name: processes_snapshot platform: linux query: processes_snapshot snapshot: true - description: Retrieves the current list of USB devices in the target system. interval: 0 name: usb_devices platform: linux query: usb_devices - description: A line-delimited authorized_keys table. interval: 0 name: authorized_keys platform: linux query: authorized_keys targets: labels: null --- apiVersion: v1 kind: query spec: description: Retrieves all the jobs scheduled in crontab in the target system. name: crontab_snapshot query: SELECT * FROM crontab; --- apiVersion: v1 kind: query spec: description: Various Linux kernel integrity checked attributes. name: kernel_integrity query: SELECT * FROM kernel_integrity; --- apiVersion: v1 kind: query spec: description: Linux kernel modules both loaded and within the load search path. name: kernel_modules query: SELECT * FROM kernel_modules; --- apiVersion: v1 kind: query spec: description: Retrieves the current list of mounted drives in the target system. name: mounts query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts; --- apiVersion: v1 kind: query spec: description: The percentage of total CPU time (system+user) consumed by osqueryd name: osquery_cpu_pct query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time FROM processes WHERE name='osqueryd'); --- apiVersion: v1 kind: query spec: description: Socket events collected from the audit framework name: socket_events query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000'); --- apiVersion: v1 kind: query spec: description: Record the network interfaces and their associated IP and MAC addresses name: network_interfaces_snapshot query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface); --- apiVersion: v1 kind: query spec: description: Information about the running osquery configuration name: osquery_info query: SELECT * FROM osquery_info; --- apiVersion: v1 kind: query spec: description: Display all installed RPM packages name: rpm_packages query: SELECT name, version, release, arch FROM rpm_packages; --- apiVersion: v1 kind: query spec: description: Record shell history for all users on system (instead of just root) name: shell_history query: SELECT * FROM users JOIN shell_history USING (uid); --- apiVersion: v1 kind: query spec: description: File events collected from file integrity monitoring name: file_events query: SELECT * FROM file_events; --- apiVersion: v1 kind: query spec: description: Retrieve the EC2 metadata for this endpoint name: ec2_instance_metadata query: SELECT * FROM ec2_instance_metadata; --- apiVersion: v1 kind: query spec: description: Retrieve the EC2 tags for this endpoint name: ec2_instance_tags query: SELECT * FROM ec2_instance_tags; --- apiVersion: v1 kind: query spec: description: Snapshot query to retrieve the EC2 tags for this instance name: ec2_instance_tags_snapshot query: SELECT * FROM ec2_instance_tags; --- apiVersion: v1 kind: query spec: description: Retrieves the current filters and chains per filter in the target system. name: iptables query: SELECT * FROM iptables; --- apiVersion: v1 kind: query spec: description: Display any SUID binaries that are owned by root name: suid_bin query: SELECT * FROM suid_bin; --- apiVersion: v1 kind: query spec: description: Display all installed DEB packages name: deb_packages query: SELECT * FROM deb_packages; --- apiVersion: v1 kind: query spec: description: Find shell processes that have open sockets name: behavioral_reverse_shell query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%'; --- apiVersion: v1 kind: query spec: description: Retrieves all the jobs scheduled in crontab in the target system. name: crontab query: SELECT * FROM crontab; --- apiVersion: v1 kind: query spec: description: Records the system resources used by each query name: per_query_perf query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions) AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory FROM osquery_schedule; --- apiVersion: v1 kind: query spec: description: Records avg rate of socket events since daemon started name: socket_rates query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now') - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1); --- apiVersion: v1 kind: query spec: description: Local system users. name: users query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: Process events collected from the audit framework name: process_events query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%'; --- apiVersion: v1 kind: query spec: description: Retrieves the list of the latest logins with PID, username and timestamp. name: last query: SELECT * FROM last; --- apiVersion: v1 kind: query spec: description: Any processes that run with an LD_PRELOAD environment variable name: ld_preload query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD'; --- apiVersion: v1 kind: query spec: description: Records avg rate of process events since daemon started name: process_rates query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now') - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1); --- apiVersion: v1 kind: query spec: description: Information about the system hardware and name name: system_info query: SELECT * FROM system_info; --- apiVersion: v1 kind: query spec: description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted name: user_ssh_keys query: SELECT * FROM users JOIN user_ssh_keys USING (uid); --- apiVersion: v1 kind: query spec: description: Local system users. name: users_snapshot query: SELECT * FROM users; --- apiVersion: v1 kind: query spec: description: DNS resolvers used by the host name: dns_resolvers query: SELECT * FROM dns_resolvers; --- apiVersion: v1 kind: query spec: description: Retrieves information from the current kernel in the target system. name: kernel_info query: SELECT * FROM kernel_info; --- apiVersion: v1 kind: query spec: description: Linux kernel modules both loaded and within the load search path. name: kernel_modules_snapshot query: SELECT * FROM kernel_modules; --- apiVersion: v1 kind: query spec: description: Generates an event if ld.so.preload is present - used by rootkits such as Jynx name: ld_so_preload_exists query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!=''; --- apiVersion: v1 kind: query spec: description: Records system/user time, db size, and many other system metrics name: runtime_perf query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; --- apiVersion: v1 kind: query spec: description: Retrieves all the entries in the target system /etc/hosts file. name: etc_hosts_snapshot query: SELECT * FROM etc_hosts; --- apiVersion: v1 kind: query spec: description: Snapshot query to retrieve the EC2 metadata for this endpoint name: ec2_instance_metadata_snapshot query: SELECT * FROM ec2_instance_metadata; --- apiVersion: v1 kind: query spec: name: hardware_events query: SELECT * FROM hardware_events; --- apiVersion: v1 kind: query spec: description: Information about memory usage on the system name: memory_info query: SELECT * FROM memory_info; --- apiVersion: v1 kind: query spec: description: Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system name: cpu_time query: SELECT * FROM cpu_time; --- apiVersion: v1 kind: query spec: description: Retrieves all the entries in the target system /etc/hosts file. name: etc_hosts query: SELECT * FROM etc_hosts; --- apiVersion: v1 kind: query spec: description: Retrieves information from the Operating System where osquery is currently running. name: os_version query: SELECT * FROM os_version; --- apiVersion: v1 kind: query spec: description: A snapshot of all processes running on the host. Useful for outlier analysis. name: processes_snapshot query: select name, path, cmdline, cwd, on_disk from processes; --- apiVersion: v1 kind: query spec: description: Retrieves the current list of USB devices in the target system. name: usb_devices query: SELECT * FROM usb_devices; --- apiVersion: v1 kind: query spec: description: A line-delimited authorized_keys table. name: authorized_keys query: SELECT * FROM users JOIN authorized_keys USING (uid);