vishnuvp/osquery.conf

## osquery.conf
{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem,syslog",
    "logger_path": "/var/log/osquery",
    "logger_snapshot_event_type": "true",
    "disable_logging": "false",
#    "log_result_events": "true",
    "logger_event_type": "true",
    "schedule_splay_percent": "10",
    "pidfile": "/var/osquery/osquery.pidfile",
    "events_expiry": "3600",
    "database_path": "/var/osquery/osquery.db",
    "verbose": "false",
    "worker_threads": "2",
#    "enable_monitor": "true",
    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "audit_allow_sockets": "true",
    "host_identifier": "hostname",
    "schedule_default_interval": "3600",
    "enable_syslog": "false"
  },

  "platform": "linux",

  "schedule": {
    "process_events":{
      "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
      "interval": 10
    },
    "socket_events":{
      "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
      "interval": 10
    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "interval": 10,
      "removed":false
    },
    "authorized_keys": {
      "query": "SELECT * FROM users JOIN authorized_keys USING (uid);",
      "interval" : 3600,
      "description": "A line-delimited authorized_keys table."
    },
    "behavioral_reverse_shell": {
      "query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
      "interval" : 600,
      "description" : "Find shell processes that have open sockets"
    },
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval" : 3600,
      "description": "Retrieves all the jobs scheduled in crontab in the target system."
    },
    "deb_packages_snapshot": {
      "query": "SELECT * FROM deb_packages;",
      "interval": 3600,
      "description": "Display all installed DEB packages",
      "snapshot" : true,
      "platform": "ubuntu"
    },
    "dns_resolvers_snapshot": {
      "query": "SELECT * FROM dns_resolvers;",
      "interval": 3600,
      "description": "DNS resolvers used by the host",
      "snapshot": true
    },
    "etc_hosts_snapshot": {
      "query": "SELECT * FROM etc_hosts;",
      "interval" : 3600,
      "description": "Retrieves all the entries in the target system /etc/hosts file.",
      "snapshot": true
    },
    "kernel_modules_snapshot": {
      "query": "SELECT * FROM kernel_modules;",
      "interval": 3600,
      "description": "Linux kernel modules both loaded and within the load search path.",
      "snapshot": true
    },
    "last": {
      "query": "SELECT * FROM last;",
      "interval" : 3600,
      "description": "Retrieves the list of the latest logins with PID, username and timestamp."
    },
    "ld_preload": {
      "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
      "interval" : 60,
      "description": "Any processes that run with an LD_PRELOAD environment variable"
    },
    "ld_so_preload_exists": {
      "query": "SELECT * FROM file WHERE path='/etc/ld.so.preload';",
      "interval" : 3600,
      "description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx",
      "snapshot": true
    },
    "network_interfaces_snapshot": {
      "query" : "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
      "interval" : 600,
      "version" : "1.4.5",
      "description" : "Record the network interfaces and their associated IP and MAC addresses",
      "snapshot" : true
    },
    "shell_history": {
      "query": "SELECT * FROM users JOIN shell_history USING (uid);",
      "interval": 3600,
      "description": "Record shell history for all users on system (instead of just root)"
    },
    "suid_bin": {
      "query": "SELECT * FROM suid_bin;",
      "interval": 86400,
      "description": "Display any SUID binaries that are owned by root"
    },
    "system_info_snapshot": {
      "query": "SELECT * FROM system_info;",
      "interval": 86400,
      "description": "Information about the system hardware and name",
      "snapshot": true
    },
    "users_snapshot": {
      "query": "SELECT * FROM users;",
      "interval" : 86400,
      "description": "Local system users.",
      "snapshot": true
    },
    "system_logins": {
      "query": "SELECT * FROM last;",
      "interval": 300
    },
    "listening_ports_snapshot": {
      "query": "SELECT * FROM listening_ports;",
      "interval": 300,
      "snapshot": true
    },
    "python_packages": {
      "query": "SELECT * FROM python_packages;",
      "interval": 300
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS hostname FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
      "SELECT address FROM interface_addresses WHERE interface = 'eth0';"

    ]
  },
  "file_paths": {
    "configuration": [
      "/etc/passwd",
      "/etc/shadow",
      "/etc/ld.so.conf",
      "/etc/ld.so.conf.d/%%",
      "/etc/pam.d/%%",
      "/etc/resolv.conf",
      "/etc/rc%/%%",
      "/etc/my.cnf",
      "/etc/hosts",
      "/etc/hostname",
      "/etc/fstab",
      "/etc/crontab",
      "/etc/cron%/%%",
      "/etc/init/%%",
      "/etc/rsyslog.conf",
      "/etc/ssh",
      "/etc/bash.bashrc",
      "/etc/environment",
      "/etc/fail2ban/%%",
      "/etc/logrotate.d/%%",
      "/etc/osquery/%%",
      "/etc/systemd/%%",
      "/etc/ufw/%%"
    ],
    "binaries": [
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/bin/%%",
      "/sbin/%%",
      "/usr/local/bin/%%",
      "/usr/local/sbin/%%"
    ]
  }
}
	{
	"options": {
	"config_plugin": "filesystem",
	"logger_plugin": "filesystem,syslog",
	"logger_path": "/var/log/osquery",
	"logger_snapshot_event_type": "true",
	"disable_logging": "false",
	# "log_result_events": "true",
	"logger_event_type": "true",
	"schedule_splay_percent": "10",
	"pidfile": "/var/osquery/osquery.pidfile",
	"events_expiry": "3600",
	"database_path": "/var/osquery/osquery.db",
	"verbose": "false",
	"worker_threads": "2",
	# "enable_monitor": "true",
	"disable_events": "false",
	"disable_audit": "false",
	"audit_allow_config": "true",
	"audit_allow_sockets": "true",
	"host_identifier": "hostname",
	"schedule_default_interval": "3600",
	"enable_syslog": "false"
	},

	"platform": "linux",

	"schedule": {
	"process_events":{
	"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
	"interval": 10
	},
	"socket_events":{
	"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
	"interval": 10
	},
	"file_events": {
	"query": "SELECT * FROM file_events;",
	"interval": 10,
	"removed":false
	},
	"authorized_keys": {
	"query": "SELECT * FROM users JOIN authorized_keys USING (uid);",
	"interval" : 3600,
	"description": "A line-delimited authorized_keys table."
	},
	"behavioral_reverse_shell": {
	"query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';",
	"interval" : 600,
	"description" : "Find shell processes that have open sockets"
	},
	"crontab": {
	"query": "SELECT * FROM crontab;",
	"interval" : 3600,
	"description": "Retrieves all the jobs scheduled in crontab in the target system."
	},
	"deb_packages_snapshot": {
	"query": "SELECT * FROM deb_packages;",
	"interval": 3600,
	"description": "Display all installed DEB packages",
	"snapshot" : true,
	"platform": "ubuntu"
	},
	"dns_resolvers_snapshot": {
	"query": "SELECT * FROM dns_resolvers;",
	"interval": 3600,
	"description": "DNS resolvers used by the host",
	"snapshot": true
	},
	"etc_hosts_snapshot": {
	"query": "SELECT * FROM etc_hosts;",
	"interval" : 3600,
	"description": "Retrieves all the entries in the target system /etc/hosts file.",
	"snapshot": true
	},
	"kernel_modules_snapshot": {
	"query": "SELECT * FROM kernel_modules;",
	"interval": 3600,
	"description": "Linux kernel modules both loaded and within the load search path.",
	"snapshot": true
	},
	"last": {
	"query": "SELECT * FROM last;",
	"interval" : 3600,
	"description": "Retrieves the list of the latest logins with PID, username and timestamp."
	},
	"ld_preload": {
	"query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';",
	"interval" : 60,
	"description": "Any processes that run with an LD_PRELOAD environment variable"
	},
	"ld_so_preload_exists": {
	"query": "SELECT * FROM file WHERE path='/etc/ld.so.preload';",
	"interval" : 3600,
	"description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx",
	"snapshot": true
	},
	"network_interfaces_snapshot": {
	"query" : "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);",
	"interval" : 600,
	"version" : "1.4.5",
	"description" : "Record the network interfaces and their associated IP and MAC addresses",
	"snapshot" : true
	},
	"shell_history": {
	"query": "SELECT * FROM users JOIN shell_history USING (uid);",
	"interval": 3600,
	"description": "Record shell history for all users on system (instead of just root)"
	},
	"suid_bin": {
	"query": "SELECT * FROM suid_bin;",
	"interval": 86400,
	"description": "Display any SUID binaries that are owned by root"
	},
	"system_info_snapshot": {
	"query": "SELECT * FROM system_info;",
	"interval": 86400,
	"description": "Information about the system hardware and name",
	"snapshot": true
	},
	"users_snapshot": {
	"query": "SELECT * FROM users;",
	"interval" : 86400,
	"description": "Local system users.",
	"snapshot": true
	},
	"system_logins": {
	"query": "SELECT * FROM last;",
	"interval": 300
	},
	"listening_ports_snapshot": {
	"query": "SELECT * FROM listening_ports;",
	"interval": 300,
	"snapshot": true
	},
	"python_packages": {
	"query": "SELECT * FROM python_packages;",
	"interval": 300
	}
	},
	"decorators": {
	"load": [
	"SELECT uuid AS hostname FROM system_info;",
	"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
	"SELECT address FROM interface_addresses WHERE interface = 'eth0';"

	]
	},
	"file_paths": {
	"configuration": [
	"/etc/passwd",
	"/etc/shadow",
	"/etc/ld.so.conf",
	"/etc/ld.so.conf.d/%%",
	"/etc/pam.d/%%",
	"/etc/resolv.conf",
	"/etc/rc%/%%",
	"/etc/my.cnf",
	"/etc/hosts",
	"/etc/hostname",
	"/etc/fstab",
	"/etc/crontab",
	"/etc/cron%/%%",
	"/etc/init/%%",
	"/etc/rsyslog.conf",
	"/etc/ssh",
	"/etc/bash.bashrc",
	"/etc/environment",
	"/etc/fail2ban/%%",
	"/etc/logrotate.d/%%",
	"/etc/osquery/%%",
	"/etc/systemd/%%",
	"/etc/ufw/%%"
	],
	"binaries": [
	"/usr/bin/%%",
	"/usr/sbin/%%",
	"/bin/%%",
	"/sbin/%%",
	"/usr/local/bin/%%",
	"/usr/local/sbin/%%"
	]
	}
	}