Last active
October 14, 2020 15:07
-
-
Save vishnuvp/71f2ffc32c2f7a8d071a079134ec17f4 to your computer and use it in GitHub Desktop.
Sample osquery conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"options": { | |
"config_plugin": "filesystem", | |
"logger_plugin": "filesystem,syslog", | |
"logger_path": "/var/log/osquery", | |
"logger_snapshot_event_type": "true", | |
"disable_logging": "false", | |
# "log_result_events": "true", | |
"logger_event_type": "true", | |
"schedule_splay_percent": "10", | |
"pidfile": "/var/osquery/osquery.pidfile", | |
"events_expiry": "3600", | |
"database_path": "/var/osquery/osquery.db", | |
"verbose": "false", | |
"worker_threads": "2", | |
# "enable_monitor": "true", | |
"disable_events": "false", | |
"disable_audit": "false", | |
"audit_allow_config": "true", | |
"audit_allow_sockets": "true", | |
"host_identifier": "hostname", | |
"schedule_default_interval": "3600", | |
"enable_syslog": "false" | |
}, | |
"platform": "linux", | |
"schedule": { | |
"process_events":{ | |
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", | |
"interval": 10 | |
}, | |
"socket_events":{ | |
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", | |
"interval": 10 | |
}, | |
"file_events": { | |
"query": "SELECT * FROM file_events;", | |
"interval": 10, | |
"removed":false | |
}, | |
"authorized_keys": { | |
"query": "SELECT * FROM users JOIN authorized_keys USING (uid);", | |
"interval" : 3600, | |
"description": "A line-delimited authorized_keys table." | |
}, | |
"behavioral_reverse_shell": { | |
"query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", | |
"interval" : 600, | |
"description" : "Find shell processes that have open sockets" | |
}, | |
"crontab": { | |
"query": "SELECT * FROM crontab;", | |
"interval" : 3600, | |
"description": "Retrieves all the jobs scheduled in crontab in the target system." | |
}, | |
"deb_packages_snapshot": { | |
"query": "SELECT * FROM deb_packages;", | |
"interval": 3600, | |
"description": "Display all installed DEB packages", | |
"snapshot" : true, | |
"platform": "ubuntu" | |
}, | |
"dns_resolvers_snapshot": { | |
"query": "SELECT * FROM dns_resolvers;", | |
"interval": 3600, | |
"description": "DNS resolvers used by the host", | |
"snapshot": true | |
}, | |
"etc_hosts_snapshot": { | |
"query": "SELECT * FROM etc_hosts;", | |
"interval" : 3600, | |
"description": "Retrieves all the entries in the target system /etc/hosts file.", | |
"snapshot": true | |
}, | |
"kernel_modules_snapshot": { | |
"query": "SELECT * FROM kernel_modules;", | |
"interval": 3600, | |
"description": "Linux kernel modules both loaded and within the load search path.", | |
"snapshot": true | |
}, | |
"last": { | |
"query": "SELECT * FROM last;", | |
"interval" : 3600, | |
"description": "Retrieves the list of the latest logins with PID, username and timestamp." | |
}, | |
"ld_preload": { | |
"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", | |
"interval" : 60, | |
"description": "Any processes that run with an LD_PRELOAD environment variable" | |
}, | |
"ld_so_preload_exists": { | |
"query": "SELECT * FROM file WHERE path='/etc/ld.so.preload';", | |
"interval" : 3600, | |
"description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx", | |
"snapshot": true | |
}, | |
"network_interfaces_snapshot": { | |
"query" : "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);", | |
"interval" : 600, | |
"version" : "1.4.5", | |
"description" : "Record the network interfaces and their associated IP and MAC addresses", | |
"snapshot" : true | |
}, | |
"shell_history": { | |
"query": "SELECT * FROM users JOIN shell_history USING (uid);", | |
"interval": 3600, | |
"description": "Record shell history for all users on system (instead of just root)" | |
}, | |
"suid_bin": { | |
"query": "SELECT * FROM suid_bin;", | |
"interval": 86400, | |
"description": "Display any SUID binaries that are owned by root" | |
}, | |
"system_info_snapshot": { | |
"query": "SELECT * FROM system_info;", | |
"interval": 86400, | |
"description": "Information about the system hardware and name", | |
"snapshot": true | |
}, | |
"users_snapshot": { | |
"query": "SELECT * FROM users;", | |
"interval" : 86400, | |
"description": "Local system users.", | |
"snapshot": true | |
}, | |
"system_logins": { | |
"query": "SELECT * FROM last;", | |
"interval": 300 | |
}, | |
"listening_ports_snapshot": { | |
"query": "SELECT * FROM listening_ports;", | |
"interval": 300, | |
"snapshot": true | |
}, | |
"python_packages": { | |
"query": "SELECT * FROM python_packages;", | |
"interval": 300 | |
} | |
}, | |
"decorators": { | |
"load": [ | |
"SELECT uuid AS hostname FROM system_info;", | |
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;", | |
"SELECT address FROM interface_addresses WHERE interface = 'eth0';" | |
] | |
}, | |
"file_paths": { | |
"configuration": [ | |
"/etc/passwd", | |
"/etc/shadow", | |
"/etc/ld.so.conf", | |
"/etc/ld.so.conf.d/%%", | |
"/etc/pam.d/%%", | |
"/etc/resolv.conf", | |
"/etc/rc%/%%", | |
"/etc/my.cnf", | |
"/etc/hosts", | |
"/etc/hostname", | |
"/etc/fstab", | |
"/etc/crontab", | |
"/etc/cron%/%%", | |
"/etc/init/%%", | |
"/etc/rsyslog.conf", | |
"/etc/ssh", | |
"/etc/bash.bashrc", | |
"/etc/environment", | |
"/etc/fail2ban/%%", | |
"/etc/logrotate.d/%%", | |
"/etc/osquery/%%", | |
"/etc/systemd/%%", | |
"/etc/ufw/%%" | |
], | |
"binaries": [ | |
"/usr/bin/%%", | |
"/usr/sbin/%%", | |
"/bin/%%", | |
"/sbin/%%", | |
"/usr/local/bin/%%", | |
"/usr/local/sbin/%%" | |
] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment