D00MFist/osquery.conf

## osquery.conf

{
  "options": {
    "logger_snapshot_event_type": "true",
    "schedule_splay_percent": 10
  },
  "platform": "darwin",
  "schedule": {
    "authorized_keys": {
      "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
      "interval": 60,
      "description": "List authorized_keys for each user on the system"
    },
    "boot_efi_hash": {
      "query": "SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';",
      "interval": 60,
      "description": "MD5 hash of boot.efi"
    },
    "browser_plugins": {
      "query": "SELECT * FROM users CROSS JOIN browser_plugins USING (uid);",
      "interval": 60,
      "description": "All C/NPAPI browser plugin details for all users."
    },
    "chrome_extensions": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
      "interval": 60,
      "description": "List installed Chrome Extensions for all users"
    },
    "chrome_extensions_snapshot": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
      "interval": 60,
      "description": "Snapshot query for Chrome extensions"
    },
    "crashes": {
      "query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users JOIN crashes USING (uid);",
      "interval": 60,
      "description": "Application, System, and Mobile App crash logs.",
      "removed": false
    },
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 60,
      "description": "Line parsed values from system and user cron/tab."
    },
    "disk_encryption_snapshot": {
      "query": "SELECT * FROM disk_encryption;",
      "interval": 60,
      "description": "Disk encryption status and information.",
      "snapshot": true
    },
    "disk_free_space_pct": {
      "query": "SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';",
      "interval": 60,
      "description": "Displays the percentage of free space available on the primary disk partition",
      "snapshot": true
    },
    "efigy": {
      "query": "SELECT * FROM efigy;",
      "interval": 60,
      "description": "Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)",
      "snapshot": true
    },
    "emond": {
      "query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
      "interval": 60,
      "description": "Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)"
    },
    "emond_snapshot": {
      "query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
      "interval": 60,
      "description": "Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)",
      "snapshot": true
    },
    "etc_hosts": {
      "query": "SELECT * FROM etc_hosts;",
      "interval": 60,
      "description": "List the contents of /etc/hosts"
    },
    "event_taps": {
      "query": "SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;",
      "interval": 60,
      "description": "Returns information about installed event taps. Can be used to detect keyloggers"
    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "interval": 60,
      "removed": false,
      "description": "Track time/action changes to files specified in configuration data."
    },
    "firefox_addons": {
      "query": "SELECT * FROM users CROSS JOIN firefox_addons USING (uid);",
      "interval": 60,
      "description": "List installed Firefox addons for all users"
    },
    "hardware_events": {
      "query": "SELECT * FROM hardware_events;",
      "interval": 60,
      "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.",
      "removed": false
    },
    "homebrew_packages": {
      "query": "SELECT * FROM homebrew_packages;",
      "interval": 60,
      "description": "The installed homebrew package database."
    },
    "homebrew_packages_snapshot": {
      "query": "SELECT name, version FROM homebrew_packages;",
      "interval": 60,
      "description": "The installed homebrew package database.",
      "snapshot": true
    },
    "installed_applications": {
      "query": "SELECT * FROM apps;",
      "interval": 60,
      "description": "OS X applications installed in known search paths (e.g., /Applications)."
    },
    "installed_applications_snapshot": {
      "query": "SELECT name, path, bundle_short_version, bundle_version, display_name FROM apps;",
      "interval": 60,
      "description": "Snapshot query for installed_applications",
      "snapshot": true
    },
    "ip_forwarding_enabled": {
      "query": "SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE '%ip%' AND current_value=1;",
      "interval": 60,
      "description": "Discover hosts that have IP forwarding enabled",
      "removed": false
    },
    "last": {
      "query": "SELECT * FROM last;",
      "interval": 60,
      "description": "System logins and logouts.",
      "removed": false
    },
    "launchd": {
      "query": "SELECT * FROM launchd;",
      "interval": 60,
      "description": "LaunchAgents and LaunchDaemons from default search paths."
    },
    "launchd_snapshot": {
      "query": "SELECT path, name, label, program, run_at_load, program_arguments FROM launchd WHERE run_at_load=1;",
      "interval": 60,
      "description": "Snapshot query for launchd",
      "snapshot": true
    },
    "ld_preload": {
      "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
      "interval": 60,
      "description": "Detect the presence of the LD_PRELOAD environment variable",
      "removed": false
    },
    "macosx_kextstat": {
      "query": "SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
      "interval": 60,
      "description": "List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple)"
    },
    "macosx_kextstat_snapshot": {
      "query": "SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
      "interval": 60,
      "description": "Snapshot query for macosx_kextstat",
      "snapshot": true
    },
    "mounts": {
      "query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
      "interval": 60,
      "description": "System mounted devices and filesystems (not process specific).",
      "removed": false
    },
    "network_interfaces_snapshot": {
      "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
      "interval": 60,
      "description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.",
      "snapshot": true
    },
    "nfs_shares": {
      "query": "SELECT * FROM nfs_shares;",
      "interval": 60,
      "description": "NFS shares exported by the host.",
      "removed": false
    },
    "nvram": {
      "query": "SELECT * FROM nvram;",
      "interval": 60,
      "description": "Apple NVRAM variable listing.",
      "removed": false
    },
    "os_version": {
      "query": "SELECT * FROM os_version;",
      "interval": 60,
      "description": "List the version of the resident operating system"
    },
    "os_version_snapshot": {
      "query": "SELECT * FROM os_version;",
      "interval": 60,
      "description": "Operating system version snapshot query",
      "snapshot": true
    },
    "osquery_info": {
      "query": "SELECT * FROM osquery_info;",
      "interval": 60,
      "description": "Information about the resident osquery process",
      "snapshot": true
    },
    "platform_info": {
      "query": "SELECT * FROM platform_info;",
      "interval": 60,
      "description": "Information about EFI/UEFI/ROM and platform/boot.",
      "removed": false
    },
    "platform_info_snapshot": {
      "query": "SELECT vendor, version, date, revision from platform_info;",
      "interval": 60,
      "description": "Platform info snapshot query"
    },
    "proc_events": {
      "query": "SELECT * from process_events;",
      "interval": 10,
      "description": "Process details"
    },
    "python_packages": {
      "query": "SELECT * FROM python_packages;",
      "interval": 60,
      "description": "Python packages installed in a system."
    },
    "rc.common": {
      "query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
      "interval": 60,
      "description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence."
    },
    "rc.common_snapshot": {
      "query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
      "interval": 60,
      "description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence.",
      "snapshot": true
    },
    "safari_extensions": {
      "query": "SELECT * FROM users CROSS JOIN safari_extensions USING (uid);",
      "interval": 60,
      "description": "Safari browser extension details for all users."
    },
    "sip_config": {
      "query": "SELECT * FROM sip_config;",
      "interval": 60,
      "description": "Apple's System Integrity Protection (rootless) status."
    },
    "startup_items": {
      "query": "SELECT * FROM startup_items;",
      "interval": 60,
      "description": "Applications and binaries set as user/login startup items."
    },
    "suid_bin": {
      "query": "SELECT * FROM suid_bin;",
      "interval": 60,
      "description": "suid binaries in common locations.",
      "removed": false
    },
    "uptime": {
      "query": "SELECT * FROM uptime;",
      "interval": 60,
      "description": "System uptime",
      "snapshot": true
    },
    "usb_devices": {
      "query": "SELECT * FROM usb_devices;",
      "interval": 60,
      "description": "USB devices that are actively plugged into the host system."
    },
    "user_ssh_keys": {
      "query": "SELECT * FROM users JOIN user_ssh_keys USING (uid);",
      "interval": 60,
      "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.",
      "removed": false
    },
    "users": {
      "query": "SELECT * FROM users;",
      "interval": 60,
      "description": "Local system users."
    },
    "users_snapshot": {
      "query": "SELECT * FROM users;",
      "interval": 60,
      "description": "Local system users."
    },
    "wifi_status_snapshot": {
      "query": "SELECT * FROM wifi_status;",
      "interval": 60,
      "description": "Shows information about the wifi network that a host is currently connected to.",
      "snapshot": true
    },
    "wireless_networks": {
      "query": "SELECT ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile FROM wifi_networks;",
      "interval": 60,
      "description": "OS X known/remembered Wi-Fi networks list.",
      "removed": false
    }
  },
  "packs": {
    "osx-attacks": "/var/osquery/packs/osx-attacks.conf",
    "performance-metrics": "/var/osquery/packs/performance-metrics.conf",
    "security-tooling-checks": "/var/osquery/packs/security-tooling-checks.conf",
    "unwanted-chrome-extensions": "/var/osquery/packs/unwanted-chrome-extensions.conf"
  },
  "file_paths": {
    "configuration": [
      "/etc/%%"
    ],
    "binaries": [
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/bin/%%",
      "/sbin/%%",
      "/usr/local/bin/%%",
      "/usr/local/sbin/%%",
      "/opt/bin/%%",
      "/opt/sbin/%%"
    ],
    "efi": [
      "/System/Library/CoreServices/boot.efi"
    ]
  }
}

	{
	"options": {
	"logger_snapshot_event_type": "true",
	"schedule_splay_percent": 10
	},
	"platform": "darwin",
	"schedule": {
	"authorized_keys": {
	"query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
	"interval": 60,
	"description": "List authorized_keys for each user on the system"
	},
	"boot_efi_hash": {
	"query": "SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi';",
	"interval": 60,
	"description": "MD5 hash of boot.efi"
	},
	"browser_plugins": {
	"query": "SELECT * FROM users CROSS JOIN browser_plugins USING (uid);",
	"interval": 60,
	"description": "All C/NPAPI browser plugin details for all users."
	},
	"chrome_extensions": {
	"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
	"interval": 60,
	"description": "List installed Chrome Extensions for all users"
	},
	"chrome_extensions_snapshot": {
	"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
	"interval": 60,
	"description": "Snapshot query for Chrome extensions"
	},
	"crashes": {
	"query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users JOIN crashes USING (uid);",
	"interval": 60,
	"description": "Application, System, and Mobile App crash logs.",
	"removed": false
	},
	"crontab": {
	"query": "SELECT * FROM crontab;",
	"interval": 60,
	"description": "Line parsed values from system and user cron/tab."
	},
	"disk_encryption_snapshot": {
	"query": "SELECT * FROM disk_encryption;",
	"interval": 60,
	"description": "Disk encryption status and information.",
	"snapshot": true
	},
	"disk_free_space_pct": {
	"query": "SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1';",
	"interval": 60,
	"description": "Displays the percentage of free space available on the primary disk partition",
	"snapshot": true
	},
	"efigy": {
	"query": "SELECT * FROM efigy;",
	"interval": 60,
	"description": "Determine if the host is running the expected EFI firmware version given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)",
	"snapshot": true
	},
	"emond": {
	"query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
	"interval": 60,
	"description": "Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)"
	},
	"emond_snapshot": {
	"query": "SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND sha256!='') OR (path LIKE '/private/var/db/emondClients/%');",
	"interval": 60,
	"description": "Snapshot query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)",
	"snapshot": true
	},
	"etc_hosts": {
	"query": "SELECT * FROM etc_hosts;",
	"interval": 60,
	"description": "List the contents of /etc/hosts"
	},
	"event_taps": {
	"query": "SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1;",
	"interval": 60,
	"description": "Returns information about installed event taps. Can be used to detect keyloggers"
	},
	"file_events": {
	"query": "SELECT * FROM file_events;",
	"interval": 60,
	"removed": false,
	"description": "Track time/action changes to files specified in configuration data."
	},
	"firefox_addons": {
	"query": "SELECT * FROM users CROSS JOIN firefox_addons USING (uid);",
	"interval": 60,
	"description": "List installed Firefox addons for all users"
	},
	"hardware_events": {
	"query": "SELECT * FROM hardware_events;",
	"interval": 60,
	"description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.",
	"removed": false
	},
	"homebrew_packages": {
	"query": "SELECT * FROM homebrew_packages;",
	"interval": 60,
	"description": "The installed homebrew package database."
	},
	"homebrew_packages_snapshot": {
	"query": "SELECT name, version FROM homebrew_packages;",
	"interval": 60,
	"description": "The installed homebrew package database.",
	"snapshot": true
	},
	"installed_applications": {
	"query": "SELECT * FROM apps;",
	"interval": 60,
	"description": "OS X applications installed in known search paths (e.g., /Applications)."
	},
	"installed_applications_snapshot": {
	"query": "SELECT name, path, bundle_short_version, bundle_version, display_name FROM apps;",
	"interval": 60,
	"description": "Snapshot query for installed_applications",
	"snapshot": true
	},
	"ip_forwarding_enabled": {
	"query": "SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE '%ip%' AND current_value=1;",
	"interval": 60,
	"description": "Discover hosts that have IP forwarding enabled",
	"removed": false
	},
	"last": {
	"query": "SELECT * FROM last;",
	"interval": 60,
	"description": "System logins and logouts.",
	"removed": false
	},
	"launchd": {
	"query": "SELECT * FROM launchd;",
	"interval": 60,
	"description": "LaunchAgents and LaunchDaemons from default search paths."
	},
	"launchd_snapshot": {
	"query": "SELECT path, name, label, program, run_at_load, program_arguments FROM launchd WHERE run_at_load=1;",
	"interval": 60,
	"description": "Snapshot query for launchd",
	"snapshot": true
	},
	"ld_preload": {
	"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
	"interval": 60,
	"description": "Detect the presence of the LD_PRELOAD environment variable",
	"removed": false
	},
	"macosx_kextstat": {
	"query": "SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
	"interval": 60,
	"description": "List kernel extensions, their signing status, and their hashes (excluding extensions signed by Apple)"
	},
	"macosx_kextstat_snapshot": {
	"query": "SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software Signing';",
	"interval": 60,
	"description": "Snapshot query for macosx_kextstat",
	"snapshot": true
	},
	"mounts": {
	"query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
	"interval": 60,
	"description": "System mounted devices and filesystems (not process specific).",
	"removed": false
	},
	"network_interfaces_snapshot": {
	"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
	"interval": 60,
	"description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.",
	"snapshot": true
	},
	"nfs_shares": {
	"query": "SELECT * FROM nfs_shares;",
	"interval": 60,
	"description": "NFS shares exported by the host.",
	"removed": false
	},
	"nvram": {
	"query": "SELECT * FROM nvram;",
	"interval": 60,
	"description": "Apple NVRAM variable listing.",
	"removed": false
	},
	"os_version": {
	"query": "SELECT * FROM os_version;",
	"interval": 60,
	"description": "List the version of the resident operating system"
	},
	"os_version_snapshot": {
	"query": "SELECT * FROM os_version;",
	"interval": 60,
	"description": "Operating system version snapshot query",
	"snapshot": true
	},
	"osquery_info": {
	"query": "SELECT * FROM osquery_info;",
	"interval": 60,
	"description": "Information about the resident osquery process",
	"snapshot": true
	},
	"platform_info": {
	"query": "SELECT * FROM platform_info;",
	"interval": 60,
	"description": "Information about EFI/UEFI/ROM and platform/boot.",
	"removed": false
	},
	"platform_info_snapshot": {
	"query": "SELECT vendor, version, date, revision from platform_info;",
	"interval": 60,
	"description": "Platform info snapshot query"
	},
	"proc_events": {
	"query": "SELECT * from process_events;",
	"interval": 10,
	"description": "Process details"
	},
	"python_packages": {
	"query": "SELECT * FROM python_packages;",
	"interval": 60,
	"description": "Python packages installed in a system."
	},
	"rc.common": {
	"query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
	"interval": 60,
	"description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence."
	},
	"rc.common_snapshot": {
	"query": "SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' and md5!='';",
	"interval": 60,
	"description": "Checks the MD5 hash of /etc/rc.common and records the results if the hash differs from the default value. /etc/rc.common can be used for persistence.",
	"snapshot": true
	},
	"safari_extensions": {
	"query": "SELECT * FROM users CROSS JOIN safari_extensions USING (uid);",
	"interval": 60,
	"description": "Safari browser extension details for all users."
	},
	"sip_config": {
	"query": "SELECT * FROM sip_config;",
	"interval": 60,
	"description": "Apple's System Integrity Protection (rootless) status."
	},
	"startup_items": {
	"query": "SELECT * FROM startup_items;",
	"interval": 60,
	"description": "Applications and binaries set as user/login startup items."
	},
	"suid_bin": {
	"query": "SELECT * FROM suid_bin;",
	"interval": 60,
	"description": "suid binaries in common locations.",
	"removed": false
	},
	"uptime": {
	"query": "SELECT * FROM uptime;",
	"interval": 60,
	"description": "System uptime",
	"snapshot": true
	},
	"usb_devices": {
	"query": "SELECT * FROM usb_devices;",
	"interval": 60,
	"description": "USB devices that are actively plugged into the host system."
	},
	"user_ssh_keys": {
	"query": "SELECT * FROM users JOIN user_ssh_keys USING (uid);",
	"interval": 60,
	"description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.",
	"removed": false
	},
	"users": {
	"query": "SELECT * FROM users;",
	"interval": 60,
	"description": "Local system users."
	},
	"users_snapshot": {
	"query": "SELECT * FROM users;",
	"interval": 60,
	"description": "Local system users."
	},
	"wifi_status_snapshot": {
	"query": "SELECT * FROM wifi_status;",
	"interval": 60,
	"description": "Shows information about the wifi network that a host is currently connected to.",
	"snapshot": true
	},
	"wireless_networks": {
	"query": "SELECT ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile FROM wifi_networks;",
	"interval": 60,
	"description": "OS X known/remembered Wi-Fi networks list.",
	"removed": false
	}
	},
	"packs": {
	"osx-attacks": "/var/osquery/packs/osx-attacks.conf",
	"performance-metrics": "/var/osquery/packs/performance-metrics.conf",
	"security-tooling-checks": "/var/osquery/packs/security-tooling-checks.conf",
	"unwanted-chrome-extensions": "/var/osquery/packs/unwanted-chrome-extensions.conf"
	},
	"file_paths": {
	"configuration": [
	"/etc/%%"
	],
	"binaries": [
	"/usr/bin/%%",
	"/usr/sbin/%%",
	"/bin/%%",
	"/sbin/%%",
	"/usr/local/bin/%%",
	"/usr/local/sbin/%%",
	"/opt/bin/%%",
	"/opt/sbin/%%"
	],
	"efi": [
	"/System/Library/CoreServices/boot.efi"
	]
	}
	}