Skip to content

Instantly share code, notes, and snippets.

@vishnuvp
Last active October 14, 2020 15:07
Show Gist options
  • Save vishnuvp/71f2ffc32c2f7a8d071a079134ec17f4 to your computer and use it in GitHub Desktop.
Save vishnuvp/71f2ffc32c2f7a8d071a079134ec17f4 to your computer and use it in GitHub Desktop.
Sample osquery conf
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem,syslog",
"logger_path": "/var/log/osquery",
"logger_snapshot_event_type": "true",
"disable_logging": "false",
# "log_result_events": "true",
"logger_event_type": "true",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"verbose": "false",
"worker_threads": "2",
# "enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"audit_allow_sockets": "true",
"host_identifier": "hostname",
"schedule_default_interval": "3600",
"enable_syslog": "false"
},
"platform": "linux",
"schedule": {
"process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": 10
},
"socket_events":{
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": 10
},
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 10,
"removed":false
},
"authorized_keys": {
"query": "SELECT * FROM users JOIN authorized_keys USING (uid);",
"interval" : 3600,
"description": "A line-delimited authorized_keys table."
},
"behavioral_reverse_shell": {
"query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
"interval" : 600,
"description" : "Find shell processes that have open sockets"
},
"crontab": {
"query": "SELECT * FROM crontab;",
"interval" : 3600,
"description": "Retrieves all the jobs scheduled in crontab in the target system."
},
"deb_packages_snapshot": {
"query": "SELECT * FROM deb_packages;",
"interval": 3600,
"description": "Display all installed DEB packages",
"snapshot" : true,
"platform": "ubuntu"
},
"dns_resolvers_snapshot": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "DNS resolvers used by the host",
"snapshot": true
},
"etc_hosts_snapshot": {
"query": "SELECT * FROM etc_hosts;",
"interval" : 3600,
"description": "Retrieves all the entries in the target system /etc/hosts file.",
"snapshot": true
},
"kernel_modules_snapshot": {
"query": "SELECT * FROM kernel_modules;",
"interval": 3600,
"description": "Linux kernel modules both loaded and within the load search path.",
"snapshot": true
},
"last": {
"query": "SELECT * FROM last;",
"interval" : 3600,
"description": "Retrieves the list of the latest logins with PID, username and timestamp."
},
"ld_preload": {
"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
"interval" : 60,
"description": "Any processes that run with an LD_PRELOAD environment variable"
},
"ld_so_preload_exists": {
"query": "SELECT * FROM file WHERE path='/etc/ld.so.preload';",
"interval" : 3600,
"description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx",
"snapshot": true
},
"network_interfaces_snapshot": {
"query" : "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
"interval" : 600,
"version" : "1.4.5",
"description" : "Record the network interfaces and their associated IP and MAC addresses",
"snapshot" : true
},
"shell_history": {
"query": "SELECT * FROM users JOIN shell_history USING (uid);",
"interval": 3600,
"description": "Record shell history for all users on system (instead of just root)"
},
"suid_bin": {
"query": "SELECT * FROM suid_bin;",
"interval": 86400,
"description": "Display any SUID binaries that are owned by root"
},
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 86400,
"description": "Information about the system hardware and name",
"snapshot": true
},
"users_snapshot": {
"query": "SELECT * FROM users;",
"interval" : 86400,
"description": "Local system users.",
"snapshot": true
},
"system_logins": {
"query": "SELECT * FROM last;",
"interval": 300
},
"listening_ports_snapshot": {
"query": "SELECT * FROM listening_ports;",
"interval": 300,
"snapshot": true
},
"python_packages": {
"query": "SELECT * FROM python_packages;",
"interval": 300
}
},
"decorators": {
"load": [
"SELECT uuid AS hostname FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
"SELECT address FROM interface_addresses WHERE interface = 'eth0';"
]
},
"file_paths": {
"configuration": [
"/etc/passwd",
"/etc/shadow",
"/etc/ld.so.conf",
"/etc/ld.so.conf.d/%%",
"/etc/pam.d/%%",
"/etc/resolv.conf",
"/etc/rc%/%%",
"/etc/my.cnf",
"/etc/hosts",
"/etc/hostname",
"/etc/fstab",
"/etc/crontab",
"/etc/cron%/%%",
"/etc/init/%%",
"/etc/rsyslog.conf",
"/etc/ssh",
"/etc/bash.bashrc",
"/etc/environment",
"/etc/fail2ban/%%",
"/etc/logrotate.d/%%",
"/etc/osquery/%%",
"/etc/systemd/%%",
"/etc/ufw/%%"
],
"binaries": [
"/usr/bin/%%",
"/usr/sbin/%%",
"/bin/%%",
"/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%"
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment