diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index e235c514ea..96ef97042c 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -1,16 +1,6 @@ --- apiVersion: v1 kind: query -spec: - name: Count Apple applications installed - platforms: macOS - description: Get the total number of Apple applications installed on the host system. - query: SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%'; - purpose: Informational - contributors: mike-j-thomas,noahtalerman,mikermcneil ---- -apiVersion: v1 -kind: query spec: name: Get OpenSSL versions platforms: Linux @@ -21,16 +11,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get whether Gatekeeper is disabled - platforms: macOS - description: Gatekeeper tries to ensure only trusted software is run on a mac machine. - query: SELECT * FROM gatekeeper WHERE assessments_enabled = 0; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query spec: name: Get authorized SSH keys platforms: macOS, Linux @@ -92,16 +72,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get Homebrew Packages - platforms: macOS - description: Get the installed homebrew package database. - query: SELECT * FROM homebrew_packages; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query spec: name: Get installed Linux software platforms: Linux @@ -152,66 +122,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get macOS disk free space percentage - platforms: macOS - description: Displays the percentage of free space available on the primary disk partition. - query: SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/'; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get mounts - platforms: macOS, Linux - description: Shows system mounted devices and filesystems (not process specific). - query: SELECT device, device_alias, path, type, blocks_size FROM mounts; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get the version of the resident operating system - platforms: macOS, Linux, Windows, FreeBSD - description: Retrieves the version of the host(s) operating system(s). - query: SELECT * FROM os_version; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get platform info - platforms: macOS - description: Shows information about the host platform - query: SELECT vendor, version, date, revision from platform_info; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get startup items - platforms: macOS, Linux, Windows, FreeBSD - description: Shows applications and binaries set as user/login startup items. - query: SELECT * FROM startup_items; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get system logins and logouts - platforms: macOS - description: Get a list of system logins and logouts. - query: SELECT * FROM last; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query spec: name: Get current users with active shell/console on the system platforms: macOS, Linux, Windows, FreeBSD @@ -222,56 +132,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get system uptime - platforms: macOS, Linux, Windows, FreeBSD - description: Shows the system uptime. - query: SELECT * FROM uptime; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get USB devices - platforms: macOS, Linux - description: Shows all USB devices that are actively plugged into the host system. - query: SELECT * FROM usb_devices; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get wifi status - platforms: macOS - description: Shows information about the wifi network that a host is currently connected to. - query: SELECT * FROM wifi_status; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get Windows machines with unencrypted hard disks - platforms: Windows - description: List all Windows machines with unencrypted hard disks. - query: SELECT * FROM bitlocker_info WHERE protection_status = 0; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query -spec: - name: Get disk encryption status - platforms: macOS, Linux - description: Disk encryption status and information. - query: SELECT * FROM disk_encryption; - purpose: Informational - contributors: anelshaer ---- -apiVersion: v1 -kind: query spec: name: Get unencrypted SSH keys for local accounts platforms: macOS, Linux, Windows, FreeBSD @@ -294,26 +154,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get crontab jobs - platforms: macOS, Linux - description: Line parsed values from system and user cron/tab. - query: SELECT * FROM crontab; - purpose: Informational - contributors: anelshaer ---- -apiVersion: v1 -kind: query -spec: - name: Get suid binaries - platforms: macOS, Linux - description: suid binaries in common locations. - query: SELECT * FROM suid_bin; - purpose: Informational - contributors: zwass ---- -apiVersion: v1 -kind: query spec: name: Get dynamic linker hijacking on Linux (MITRE. T1574.006) platforms: Linux @@ -390,27 +230,7 @@ spec: apiVersion: v1 kind: query spec: - name: Get docker images on a system - platforms: macOS, Linux - description: Docker images information, can be used on normal system or a kubenode. - query: SELECT * FROM docker_images; - purpose: Informational - contributors: anelshaer ---- -apiVersion: v1 -kind: query -spec: - name: Get docker running containers on a system - platforms: macOS, Linux - description: Docker containers information, can be used on normal system or a kubenode. - query: SELECT * FROM docker_containers; - purpose: Informational - contributors: anelshaer ---- -apiVersion: v1 -kind: query -spec: - name: Get docker running process on a system + name: Get Docker contained processes on a system platforms: macOS, Linux description: Docker containers Processes, can be used on normal system or a kubenode. query: SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id); @@ -539,16 +359,6 @@ spec: --- apiVersion: v1 kind: query -spec: - name: Get Mac and Linux machines with unencrypted primary disks - platforms: macOS, Linux - description: - query: SELECT * FROM mounts m, disk_encryption d WHERE m.path= "/" AND m.device = d.name AND d.encrypted = 0; - purpose: Informational - contributors: DominusKelvin ---- -apiVersion: v1 -kind: query spec: name: Get servers with root login in the last 24 hours platforms: macOS, Linux, Windows