{ "options": { "logger_snapshot_event_type": "true", "schedule_splay_percent": 10 }, "platform": "linux", "schedule": { "process_events":{ "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", "interval": 10, "description": "Process events collected from the audit framework" }, "socket_events":{ "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", "interval": 10, "description": "Socket events collected from the audit framework" }, "file_events": { "query": "SELECT * FROM file_events;", "interval": 10, "description": "File events collected from file integrity monitoring", "removed":false }, "apt_sources": { "query": "SELECT * FROM apt_sources;", "interval": 86400, "description": "Display apt package manager sources.", "snapshot": true, "platform": "ubuntu" }, "authorized_keys": { "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);", "interval": 86400, "description": "A line-delimited authorized_keys table." }, "behavioral_reverse_shell": { "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", "interval": 600, "description": "Find shell processes that have open sockets" }, "cpu_time": { "query": "SELECT * FROM cpu_time;", "interval": 3600, "description": "Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system" }, "crontab": { "query": "SELECT * FROM crontab;", "interval": 3600, "description": "Retrieves all the jobs scheduled in crontab in the target system." }, "crontab_snapshot": { "query": "SELECT * FROM crontab;", "interval": 86400, "description": "Retrieves all the jobs scheduled in crontab in the target system.", "snapshot": true }, "deb_packages": { "query": "SELECT * FROM deb_packages;", "interval": 86400, "description": "Display all installed DEB packages", "snapshot": true, "platform": "ubuntu" }, "dns_resolvers": { "query": "SELECT * FROM dns_resolvers;", "interval": 3600, "description": "DNS resolvers used by the host" }, "ec2_instance_metadata": { "query": "SELECT * FROM ec2_instance_metadata;", "interval": 3600, "description": "Retrieve the EC2 metadata for this endpoint" }, "ec2_instance_metadata_snapshot": { "query": "SELECT * FROM ec2_instance_metadata;", "interval": 86400, "description": "Snapshot query to retrieve the EC2 metadata for this endpoint", "snapshot": true }, "ec2_instance_tags": { "query": "SELECT * FROM ec2_instance_tags;", "interval": 3600, "description": "Retrieve the EC2 tags for this endpoint" }, "ec2_instance_tags_snapshot": { "query": "SELECT * FROM ec2_instance_tags;", "interval": 86400, "description": "Snapshot query to retrieve the EC2 tags for this instance", "snapshot": true }, "etc_hosts": { "query": "SELECT * FROM etc_hosts;", "interval": 3600, "description": "Retrieves all the entries in the target system /etc/hosts file." }, "etc_hosts_snapshot": { "query": "SELECT * FROM etc_hosts;", "interval": 86400, "description": "Retrieves all the entries in the target system /etc/hosts file.", "snapshot": true }, "hardware_events": { "query": "SELECT * FROM hardware_events;", "interval": 10, "removed":false }, "iptables": { "query": "SELECT * FROM iptables;", "interval": 86400, "platform": "linux", "description": "Retrieves the current filters and chains per filter in the target system." }, "kernel_info": { "query": "SELECT * FROM kernel_info;", "interval": 86400, "description": "Retrieves information from the current kernel in the target system.", "snapshot": true }, "kernel_integrity": { "query": "SELECT * FROM kernel_integrity;", "interval": 86400, "description": "Various Linux kernel integrity checked attributes." }, "kernel_modules": { "query": "SELECT * FROM kernel_modules;", "interval": 3600, "description": "Linux kernel modules both loaded and within the load search path." }, "kernel_modules_snapshot": { "query": "SELECT * FROM kernel_modules;", "interval": 86400, "description": "Linux kernel modules both loaded and within the load search path.", "snapshot": true }, "last": { "query": "SELECT * FROM last;", "interval": 3600, "description": "Retrieves the list of the latest logins with PID, username and timestamp." }, "ld_preload": { "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", "interval": 60, "description": "Any processes that run with an LD_PRELOAD environment variable", "snapshot": true }, "ld_so_preload_exists": { "query": "SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!='';", "interval": 3600, "description": "Generates an event if ld.so.preload is present - used by rootkits such as Jynx", "snapshot": true }, "listening_ports": { "query": "SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0;", "interval": 86400, "description": "Gather information about processes that are listening on a socket.", "snapshot": true }, "memory_info": { "query": "SELECT * FROM memory_info;", "interval": 3600, "description": "Information about memory usage on the system" }, "mounts": { "query": "SELECT device, device_alias, path, type, blocks_size, flags FROM mounts;", "interval": 86400, "description": "Retrieves the current list of mounted drives in the target system." }, "network_interfaces_snapshot": { "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);", "interval": 600, "description": "Record the network interfaces and their associated IP and MAC addresses", "snapshot": true }, "os_version": { "query": "SELECT * FROM os_version;", "interval": 86400, "description": "Retrieves information from the Operating System where osquery is currently running.", "snapshot": true }, "osquery_info": { "query": "SELECT * FROM osquery_info;", "interval": 86400, "description": "Information about the running osquery configuration", "snapshot": true }, "processes_snapshot": { "query": "select name, path, cmdline, cwd, on_disk from processes;", "interval": 86400, "description": "A snapshot of all processes running on the host. Useful for outlier analysis.", "snapshot": true }, "rpm_packages": { "query": "SELECT name, version, release, arch FROM rpm_packages;", "interval": 86400, "description": "Display all installed RPM packages", "snapshot": true, "platform": "centos" }, "runtime_perf": { "query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;", "interval": 1800, "description": "Records system/user time, db size, and many other system metrics" }, "shell_history": { "query": "SELECT * FROM users CROSS JOIN shell_history USING (uid);", "interval": 3600, "description": "Record shell history for all users on system (instead of just root)" }, "suid_bin": { "query": "SELECT * FROM suid_bin;", "interval": 86400, "description": "Display any SUID binaries that are owned by root" }, "system_info": { "query": "SELECT * FROM system_info;", "interval": 86400, "description": "Information about the system hardware and name", "snapshot": true }, "usb_devices": { "query": "SELECT * FROM usb_devices;", "interval": 120, "description": "Retrieves the current list of USB devices in the target system." }, "user_ssh_keys": { "query": "SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);", "interval": 86400, "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted" }, "users": { "query": "SELECT * FROM users;", "interval": 86400, "description": "Local system users." }, "users_snapshot": { "query": "SELECT * FROM users;", "interval": 86400, "description": "Local system users.", "snapshot": true }, "yum_sources": { "query": "SELECT name, baseurl, enabled, gpgcheck FROM yum_sources;", "interval": 86400, "description": "Display yum package manager sources", "snapshot": true, "platform": "centos" } }, "file_paths": { "configuration": [ "/etc/passwd", "/etc/shadow", "/etc/ld.so.preload", "/etc/ld.so.conf", "/etc/ld.so.conf.d/%%", "/etc/pam.d/%%", "/etc/resolv.conf", "/etc/rc%/%%", "/etc/my.cnf", "/etc/modules", "/etc/hosts", "/etc/hostname", "/etc/fstab", "/etc/crontab", "/etc/cron%/%%", "/etc/init/%%", "/etc/rsyslog.conf" ], "binaries": [ "/usr/bin/%%", "/usr/sbin/%%", "/bin/%%", "/sbin/%%", "/usr/local/bin/%%", "/usr/local/sbin/%%" ] }, "events": { "disable_subscribers": ["user_events"] }, "packs": { "ossec-rootkit": "/etc/osquery/packs/ossec-rootkit.conf" } }