mirror of
https://github.com/fleetdm/fleet
synced 2026-05-06 06:48:54 +00:00
Docs: Update host vital queries in queries.yml (#33228)
Changes: - Updated host vital queries in queries.yml to include changes from134c74a94b,e9f595a2e2,50151f6dee,11097befb4,4994571c22,39dc7a3772, and4dfe95304b.
This commit is contained in:
Eric
GitHub
parent
799ecca7bb
commit
26e552f2c0
1 changed files with 100 additions and 18 deletions
118
docs/queries.yml
118
docs/queries.yml
|
|
@ -202,15 +202,27 @@ spec:
|
|||
platform: darwin
|
||||
description: Retrieves certificates from an Apple device.
|
||||
query: |
|
||||
SELECT
|
||||
ca, common_name, subject, issuer,
|
||||
key_algorithm, key_strength, key_usage, signing_algorithm,
|
||||
not_valid_after, not_valid_before,
|
||||
serial, sha1, "system" as source,
|
||||
path
|
||||
FROM
|
||||
certificates
|
||||
WHERE
|
||||
path = '/Library/Keychains/System.keychain'
|
||||
UNION
|
||||
SELECT
|
||||
ca, common_name, subject, issuer,
|
||||
key_algorithm, key_strength, key_usage, signing_algorithm,
|
||||
not_valid_after, not_valid_before,
|
||||
serial, sha1
|
||||
FROM
|
||||
certificates
|
||||
WHERE
|
||||
path = '/Library/Keychains/System.keychain';
|
||||
ca, common_name, subject, issuer,
|
||||
key_algorithm, key_strength, key_usage, signing_algorithm,
|
||||
not_valid_after, not_valid_before,
|
||||
serial, sha1, "user" as source,
|
||||
path
|
||||
FROM
|
||||
certificates
|
||||
WHERE
|
||||
path LIKE '/Users/%/Library/Keychains/login.keychain-db';
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
# --- # Note: this vital is commented out because it requires the kubequery osquery extension.
|
||||
|
|
@ -246,10 +258,21 @@ spec:
|
|||
platform: darwin
|
||||
description: Retrieves information about mobile device management (MDM) configuration profiles installed on a macOS device.
|
||||
query: |
|
||||
SELECT
|
||||
display_name, identifier, install_date
|
||||
FROM macos_profiles
|
||||
WHERE type = "Configuration"
|
||||
SELECT 1
|
||||
WHERE EXISTS (
|
||||
SELECT 1
|
||||
FROM osquery_registry
|
||||
WHERE active = true
|
||||
AND registry = 'table'
|
||||
AND name = 'macos_profiles'
|
||||
)
|
||||
AND NOT EXISTS (
|
||||
SELECT 1
|
||||
FROM osquery_registry
|
||||
WHERE active = true
|
||||
AND registry = 'table'
|
||||
AND name = 'macos_user_profiles'
|
||||
);
|
||||
discovery: macos_profiles
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
|
|
@ -813,7 +836,7 @@ spec:
|
|||
description: Gathers information about software installed on a device running macOS.
|
||||
query: |
|
||||
WITH cached_users AS (WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
|
||||
SELECT
|
||||
|
|
@ -902,7 +925,7 @@ spec:
|
|||
description: Gathers information about software installed on a device running linux.
|
||||
query: |
|
||||
WITH cached_users AS (WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
|
||||
SELECT
|
||||
|
|
@ -1060,7 +1083,7 @@ spec:
|
|||
description: Retrieves python packages installed on a host. As of osquery version 5.16.0, the python_packages table searches user directories with support from a cross join on users. See <a href="https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table">this guide</a> for more information.
|
||||
query: |
|
||||
WITH cached_users AS (WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
|
||||
SELECT
|
||||
|
|
@ -1084,7 +1107,7 @@ spec:
|
|||
description: Gathers information about Visual Studio Code extensions installed on a device.
|
||||
query: |
|
||||
WITH cached_users AS (WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
|
||||
SELECT
|
||||
|
|
@ -1211,7 +1234,7 @@ spec:
|
|||
description: Gathers information about software installed on a device running Windows.
|
||||
query: |
|
||||
WITH cached_users AS (WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
|
||||
SELECT
|
||||
|
|
@ -1497,7 +1520,7 @@ spec:
|
|||
description: Retrieves information about user accounts.
|
||||
query: |
|
||||
WITH cached_groups AS (select * from groups)
|
||||
SELECT uid, username, type, groupname, shell
|
||||
SELECT uid, uuid, username, type, groupname, shell
|
||||
FROM users LEFT JOIN cached_groups USING (gid)
|
||||
WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> '')
|
||||
powershell: >-
|
||||
|
|
@ -1564,6 +1587,65 @@ spec:
|
|||
discovery: windows_update_history
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: built-in
|
||||
spec:
|
||||
name: Microsoft device ID (macOS)
|
||||
platform: darwin
|
||||
description: Retrieves the Microsoft device ID of a macOS device.
|
||||
query: |
|
||||
SELECT * FROM app_sso_platform WHERE extension_identifier = 'com.microsoft.CompanyPortalMac.ssoextension' AND realm = 'KERBEROS.MICROSOFTONLINE.COM';
|
||||
discovery: app_sso_platform
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: built-in
|
||||
spec:
|
||||
name: Microsoft device ID (Windows)
|
||||
platform: windows
|
||||
description: Retrieves the Microsoft device ID of a Windows device.
|
||||
query: |
|
||||
SELECT name, data
|
||||
FROM registry
|
||||
WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID\DeviceClientId';
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: built-in
|
||||
spec:
|
||||
name: Software last opened at (Windows)
|
||||
platform: windows
|
||||
description: A software override query to append last_opened_at information to Windows software entries.
|
||||
query: |
|
||||
SELECT
|
||||
MAX(last_run_time) AS last_opened_at,
|
||||
REGEX_MATCH(accessed_files, "VOLUME[^\\]+([^,]+" || REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(filename, '\', '\\'), '.', '\.'), '*', '\*'), '+', '\+'), '?', '\?'), '[', '\['), ']', '\]'), '{', '\{'), '}', '\}'), '(', '\('), ')', '\)'), '|', '\|') || ")", 1) AS executable_path
|
||||
FROM prefetch
|
||||
GROUP BY executable_path
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: built-in
|
||||
spec:
|
||||
name: Software last opened at (Linux)
|
||||
platform: linux
|
||||
description: A software override query to append last_opened_at information to Linux DEB software entries. The accuracy of this information is limited by the accuracy of the atime column in the file table, which can be affected by the system clock and mount settings like noatime and relatime.
|
||||
query: |
|
||||
SELECT
|
||||
package,
|
||||
MAX(atime) AS last_opened_at
|
||||
FROM deb_package_files
|
||||
CROSS JOIN file USING (path)
|
||||
WHERE type = 'regular'
|
||||
AND regex_match(file.mode, '[1357]', 0)
|
||||
GROUP BY package;
|
||||
discovery: deb_package_files
|
||||
purpose: Informational
|
||||
tags: built-in
|
||||
#
|
||||
# ██████╗ ██╗ ██╗███████╗██████╗ ██╗███████╗███████╗
|
||||
# ██╔═══██╗██║ ██║██╔════╝██╔══██╗██║██╔════╝██╔════╝
|
||||
|
|
|
|||
Loading…
Reference in a new issue