securityonion/salt/fleet/packs/palantir/Fleet/Servers/Linux/osquery.yaml

---
apiVersion: v1
kind: pack
spec:
  name: LinuxPack
  queries:
  - description: Retrieves all the jobs scheduled in crontab in the target system.
    interval: 0
    name: crontab_snapshot
    platform: linux
    query: crontab_snapshot
    snapshot: true
  - description: Various Linux kernel integrity checked attributes.
    interval: 0
    name: kernel_integrity
    platform: linux
    query: kernel_integrity
  - description: Linux kernel modules both loaded and within the load search path.
    interval: 0
    name: kernel_modules
    platform: linux
    query: kernel_modules
  - description: Retrieves the current list of mounted drives in the target system.
    interval: 0
    name: mounts
    platform: linux
    query: mounts
  - description: The percentage of total CPU time (system+user) consumed by osqueryd
    interval: 0
    name: osquery_cpu_pct
    platform: linux
    query: osquery_cpu_pct
    snapshot: true
  - description: Socket events collected from the audit framework
    interval: 0
    name: socket_events
    platform: linux
    query: socket_events
  - description: Record the network interfaces and their associated IP and MAC addresses
    interval: 0
    name: network_interfaces_snapshot
    platform: linux
    query: network_interfaces_snapshot
    snapshot: true
    version: 1.4.5
  - description: Information about the running osquery configuration
    interval: 0
    name: osquery_info
    platform: linux
    query: osquery_info
    snapshot: true
  - description: Display all installed RPM packages
    interval: 0
    name: rpm_packages
    platform: centos
    query: rpm_packages
    snapshot: true
  - description: Record shell history for all users on system (instead of just root)
    interval: 0
    name: shell_history
    platform: linux
    query: shell_history
  - description: File events collected from file integrity monitoring
    interval: 0
    name: file_events
    platform: linux
    query: file_events
    removed: false
  - description: Retrieve the EC2 metadata for this endpoint
    interval: 0
    name: ec2_instance_metadata
    platform: linux
    query: ec2_instance_metadata
  - description: Retrieve the EC2 tags for this endpoint
    interval: 0
    name: ec2_instance_tags
    platform: linux
    query: ec2_instance_tags
  - description: Snapshot query to retrieve the EC2 tags for this instance
    interval: 0
    name: ec2_instance_tags_snapshot
    platform: linux
    query: ec2_instance_tags_snapshot
    snapshot: true
  - description: Retrieves the current filters and chains per filter in the target
      system.
    interval: 0
    name: iptables
    platform: linux
    query: iptables
  - description: Display any SUID binaries that are owned by root
    interval: 0
    name: suid_bin
    platform: linux
    query: suid_bin
  - description: Display all installed DEB packages
    interval: 0
    name: deb_packages
    platform: ubuntu
    query: deb_packages
    snapshot: true
  - description: Find shell processes that have open sockets
    interval: 0
    name: behavioral_reverse_shell
    platform: linux
    query: behavioral_reverse_shell
  - description: Retrieves all the jobs scheduled in crontab in the target system.
    interval: 0
    name: crontab
    platform: linux
    query: crontab
  - description: Records the system resources used by each query
    interval: 0
    name: per_query_perf
    platform: linux
    query: per_query_perf
  - description: Records avg rate of socket events since daemon started
    interval: 0
    name: socket_rates
    platform: linux
    query: socket_rates
    snapshot: true
  - description: Local system users.
    interval: 0
    name: users
    platform: linux
    query: users
  - description: Process events collected from the audit framework
    interval: 0
    name: process_events
    platform: linux
    query: process_events
  - description: Retrieves the list of the latest logins with PID, username and timestamp.
    interval: 0
    name: last
    platform: linux
    query: last
  - description: Any processes that run with an LD_PRELOAD environment variable
    interval: 0
    name: ld_preload
    platform: linux
    query: ld_preload
  - description: Records avg rate of process events since daemon started
    interval: 0
    name: process_rates
    platform: linux
    query: process_rates
    snapshot: true
  - description: Information about the system hardware and name
    interval: 0
    name: system_info
    platform: linux
    query: system_info
    snapshot: true
  - description: Returns the private keys in the users ~/.ssh directory and whether
      or not they are encrypted
    interval: 0
    name: user_ssh_keys
    platform: linux
    query: user_ssh_keys
  - description: Local system users.
    interval: 0
    name: users_snapshot
    platform: linux
    query: users_snapshot
    snapshot: true
  - description: DNS resolvers used by the host
    interval: 0
    name: dns_resolvers
    platform: linux
    query: dns_resolvers
  - description: Retrieves information from the current kernel in the target system.
    interval: 0
    name: kernel_info
    platform: linux
    query: kernel_info
    snapshot: true
  - description: Linux kernel modules both loaded and within the load search path.
    interval: 0
    name: kernel_modules_snapshot
    platform: linux
    query: kernel_modules_snapshot
    snapshot: true
  - description: Generates an event if ld.so.preload is present - used by rootkits
      such as Jynx
    interval: 0
    name: ld_so_preload_exists
    platform: linux
    query: ld_so_preload_exists
    snapshot: true
  - description: Records system/user time, db size, and many other system metrics
    interval: 0
    name: runtime_perf
    platform: linux
    query: runtime_perf
  - description: Retrieves all the entries in the target system /etc/hosts file.
    interval: 0
    name: etc_hosts_snapshot
    platform: linux
    query: etc_hosts_snapshot
    snapshot: true
  - description: Snapshot query to retrieve the EC2 metadata for this endpoint
    interval: 0
    name: ec2_instance_metadata_snapshot
    platform: linux
    query: ec2_instance_metadata_snapshot
    snapshot: true
  - description: ""
    interval: 0
    name: hardware_events
    platform: linux
    query: hardware_events
    removed: false
  - description: Information about memory usage on the system
    interval: 0
    name: memory_info
    platform: linux
    query: memory_info
  - description: Displays information from /proc/stat file about the time the CPU
      cores spent in different parts of the system
    interval: 0
    name: cpu_time
    platform: linux
    query: cpu_time
  - description: Retrieves all the entries in the target system /etc/hosts file.
    interval: 0
    name: etc_hosts
    platform: linux
    query: etc_hosts
  - description: Retrieves information from the Operating System where osquery is
      currently running.
    interval: 0
    name: os_version
    platform: linux
    query: os_version
    snapshot: true
  - description: A snapshot of all processes running on the host. Useful for outlier
      analysis.
    interval: 0
    name: processes_snapshot
    platform: linux
    query: processes_snapshot
    snapshot: true
  - description: Retrieves the current list of USB devices in the target system.
    interval: 0
    name: usb_devices
    platform: linux
    query: usb_devices
  - description: A line-delimited authorized_keys table.
    interval: 0
    name: authorized_keys
    platform: linux
    query: authorized_keys
  targets:
    labels: null
---
apiVersion: v1
kind: query
spec:
  description: Retrieves all the jobs scheduled in crontab in the target system.
  name: crontab_snapshot
  query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
  description: Various Linux kernel integrity checked attributes.
  name: kernel_integrity
  query: SELECT * FROM kernel_integrity;
---
apiVersion: v1
kind: query
spec:
  description: Linux kernel modules both loaded and within the load search path.
  name: kernel_modules
  query: SELECT * FROM kernel_modules;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves the current list of mounted drives in the target system.
  name: mounts
  query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;
---
apiVersion: v1
kind: query
spec:
  description: The percentage of total CPU time (system+user) consumed by osqueryd
  name: osquery_cpu_pct
  query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM
    processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time
    FROM processes WHERE name='osqueryd');
---
apiVersion: v1
kind: query
spec:
  description: Socket events collected from the audit framework
  name: socket_events
  query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address,
    remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN
    ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254',
    '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001',
    'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');
---
apiVersion: v1
kind: query
spec:
  description: Record the network interfaces and their associated IP and MAC addresses
  name: network_interfaces_snapshot
  query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details
    d USING (interface);
---
apiVersion: v1
kind: query
spec:
  description: Information about the running osquery configuration
  name: osquery_info
  query: SELECT * FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
  description: Display all installed RPM packages
  name: rpm_packages
  query: SELECT name, version, release, arch FROM rpm_packages;
---
apiVersion: v1
kind: query
spec:
  description: Record shell history for all users on system (instead of just root)
  name: shell_history
  query: SELECT * FROM users JOIN shell_history USING (uid);
---
apiVersion: v1
kind: query
spec:
  description: File events collected from file integrity monitoring
  name: file_events
  query: SELECT * FROM file_events;
---
apiVersion: v1
kind: query
spec:
  description: Retrieve the EC2 metadata for this endpoint
  name: ec2_instance_metadata
  query: SELECT * FROM ec2_instance_metadata;
---
apiVersion: v1
kind: query
spec:
  description: Retrieve the EC2 tags for this endpoint
  name: ec2_instance_tags
  query: SELECT * FROM ec2_instance_tags;
---
apiVersion: v1
kind: query
spec:
  description: Snapshot query to retrieve the EC2 tags for this instance
  name: ec2_instance_tags_snapshot
  query: SELECT * FROM ec2_instance_tags;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves the current filters and chains per filter in the target system.
  name: iptables
  query: SELECT * FROM iptables;
---
apiVersion: v1
kind: query
spec:
  description: Display any SUID binaries that are owned by root
  name: suid_bin
  query: SELECT * FROM suid_bin;
---
apiVersion: v1
kind: query
spec:
  description: Display all installed DEB packages
  name: deb_packages
  query: SELECT * FROM deb_packages;
---
apiVersion: v1
kind: query
spec:
  description: Find shell processes that have open sockets
  name: behavioral_reverse_shell
  query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path,
    processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid,
    processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port,
    (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS
    parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER
    JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh'
    OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address
    NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';
---
apiVersion: v1
kind: query
spec:
  description: Retrieves all the jobs scheduled in crontab in the target system.
  name: crontab
  query: SELECT * FROM crontab;
---
apiVersion: v1
kind: query
spec:
  description: Records the system resources used by each query
  name: per_query_perf
  query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions)
    AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory
    FROM osquery_schedule;
---
apiVersion: v1
kind: query
spec:
  description: Records avg rate of socket events since daemon started
  name: socket_rates
  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now')
    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
  description: Local system users.
  name: users
  query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
  description: Process events collected from the audit framework
  name: process_events
  query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time,
    uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk',
    '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq',
    '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline
    NOT LIKE '%secret%';
---
apiVersion: v1
kind: query
spec:
  description: Retrieves the list of the latest logins with PID, username and timestamp.
  name: last
  query: SELECT * FROM last;
---
apiVersion: v1
kind: query
spec:
  description: Any processes that run with an LD_PRELOAD environment variable
  name: ld_preload
  query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name,
    processes.path, processes.cmdline, processes.cwd FROM process_envs join processes
    USING (pid) WHERE key = 'LD_PRELOAD';
---
apiVersion: v1
kind: query
spec:
  description: Records avg rate of process events since daemon started
  name: process_rates
  query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now')
    - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1);
---
apiVersion: v1
kind: query
spec:
  description: Information about the system hardware and name
  name: system_info
  query: SELECT * FROM system_info;
---
apiVersion: v1
kind: query
spec:
  description: Returns the private keys in the users ~/.ssh directory and whether
    or not they are encrypted
  name: user_ssh_keys
  query: SELECT * FROM users JOIN user_ssh_keys USING (uid);
---
apiVersion: v1
kind: query
spec:
  description: Local system users.
  name: users_snapshot
  query: SELECT * FROM users;
---
apiVersion: v1
kind: query
spec:
  description: DNS resolvers used by the host
  name: dns_resolvers
  query: SELECT * FROM dns_resolvers;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves information from the current kernel in the target system.
  name: kernel_info
  query: SELECT * FROM kernel_info;
---
apiVersion: v1
kind: query
spec:
  description: Linux kernel modules both loaded and within the load search path.
  name: kernel_modules_snapshot
  query: SELECT * FROM kernel_modules;
---
apiVersion: v1
kind: query
spec:
  description: Generates an event if ld.so.preload is present - used by rootkits such
    as Jynx
  name: ld_so_preload_exists
  query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';
---
apiVersion: v1
kind: query
spec:
  description: Records system/user time, db size, and many other system metrics
  name: runtime_perf
  query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename
    AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes
    AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov,
    processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT
    value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE
    path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves all the entries in the target system /etc/hosts file.
  name: etc_hosts_snapshot
  query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
  description: Snapshot query to retrieve the EC2 metadata for this endpoint
  name: ec2_instance_metadata_snapshot
  query: SELECT * FROM ec2_instance_metadata;
---
apiVersion: v1
kind: query
spec:
  name: hardware_events
  query: SELECT * FROM hardware_events;
---
apiVersion: v1
kind: query
spec:
  description: Information about memory usage on the system
  name: memory_info
  query: SELECT * FROM memory_info;
---
apiVersion: v1
kind: query
spec:
  description: Displays information from /proc/stat file about the time the CPU cores
    spent in different parts of the system
  name: cpu_time
  query: SELECT * FROM cpu_time;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves all the entries in the target system /etc/hosts file.
  name: etc_hosts
  query: SELECT * FROM etc_hosts;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves information from the Operating System where osquery is currently
    running.
  name: os_version
  query: SELECT * FROM os_version;
---
apiVersion: v1
kind: query
spec:
  description: A snapshot of all processes running on the host. Useful for outlier
    analysis.
  name: processes_snapshot
  query: select name, path, cmdline, cwd, on_disk from processes;
---
apiVersion: v1
kind: query
spec:
  description: Retrieves the current list of USB devices in the target system.
  name: usb_devices
  query: SELECT * FROM usb_devices;
---
apiVersion: v1
kind: query
spec:
  description: A line-delimited authorized_keys table.
  name: authorized_keys
  query: SELECT * FROM users JOIN authorized_keys USING (uid);