fleet/cmd/fleetctl/testdata/convert_input.conf

{
  "queries": {
    "launchd": {
      "query": "select * from launchd;",
      "interval": "3600",
      "platform": "darwin",
      "version": "1.4.5",
      "description": "Retrieves all the daemons that will run in the start of the target OSX system.",
      "value": "Identify malware that uses this persistence mechanism to launch at system boot"
    },
    "disk_encryption (posix)": {
      "query": "select * from disk_encryption;",
      "interval": "86400",
      "platform": "posix",
      "version": "1.4.5",
      "description": "Retrieves the current disk encryption status for the target system.",
      "value": "Identifies a system potentially vulnerable to disk cloning."
    },
    "disk_encryption (darwin,linux)": {
      "query": "select * from disk_encryption;",
      "interval": "300",
      "platform": "darwin,linux",
      "version": "1.4.5",
      "description": "Retrieves the current disk encryption status for the target system.",
      "value": "Identifies a system potentially vulnerable to disk cloning."
    },
    "iptables": {
      "query": "select * from iptables;",
      "interval": "3600",
      "platform": "linux",
      "version": "1.4.5",
      "description": "Retrieves the current filters and chains per filter in the target system.",
      "value": "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
    },
    "app_schemes": {
      "query": "select * from app_schemes;",
      "interval": "86400",
      "platform": "darwin",
      "version": "1.4.7",
      "description": "Retrieves the list of application scheme/protocol-based IPC handlers.",
      "value": "Post-priori hijack detection, detect potential sensitive information leakage."
    },
    "sandboxes": {
      "query": "select * from sandboxes;",
      "interval": "86400",
      "platform": "darwin",
      "version": "1.4.7",
      "description": "Lists the application bundle that owns a sandbox label.",
      "value": "Post-priori hijack detection, detect potential sensitive information leakage."
    },
    "disk_info": {
      "query": "select * from disk_info;",
      "interval": "86400",
      "platform": "chrome,windows",
      "version": "1.4.7",
      "description": "Retrieve basic information about the physical disks of a system.",
      "value": "Identify scary possibilities with disks."
    },
    "listening_ports (specs)": {
      "query": "select * from listening_ports;",
      "interval": "3600",
      "platform": "specs",
      "version": "1.4.7",
      "description": "Retrieves the list of listening ports.",
      "value": "Identify unwanted open ports."
    },
    "listening_ports (utility)": {
      "query": "select * from listening_ports;",
      "interval": "3600",
      "platform": "utility",
      "version": "1.4.7",
      "description": "Retrieves the list of listening ports.",
      "value": "Identify unwanted open ports."
    },
    "yara (yara)": {
      "query": "select * from yara;",
      "interval": "0",
      "platform": "yara",
      "version": "1.4.7",
      "description": "Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.",
      "value": "TBD"
    },
    "ulimit_info (smart)": {
      "query": "select * from ulimit_info;",
      "interval": "300",
      "platform": "smart",
      "version": "1.4.7",
      "description": "System resource usage limits.",
      "value": "Identify potential resource exhaustion attacks."
    },
    "uptime (kernel)": {
      "query": "select * from uptime;",
      "interval": "600",
      "platform": "kernel",
      "version": "1.4.7",
      "description": "System uptime.",
      "value": "Identify systems that have been rebooted recently."
    },
    "uptime (linwin)": {
      "query": "select * from uptime;",
      "interval": "600",
      "platform": "linwin",
      "version": "1.4.7",
      "description": "System uptime.",
      "value": "Identify systems that have been rebooted recently."
    },
    "uptime (macwin)": {
      "query": "select * from uptime;",
      "interval": "600",
      "platform": "macwin",
      "version": "1.4.7",
      "description": "System uptime.",
      "value": "Identify systems that have been rebooted recently."
    },
    "uptime (sleuthkit)": {
      "query": "select * from uptime;",
      "interval": "600",
      "platform": "sleuthkit",
      "version": "1.4.7",
      "description": "System uptime.",
      "value": "Identify systems that have been rebooted recently."
    },
    "windows crashes": {
      "query": "select * from windows_crashes;",
      "interval": "3600",
      "platform": "windows",
      "version": "1.4.7",
      "description": "Extracted information from Windows crash logs (Minidumps).",
      "value": "Identify systems that have been rebooted recently."
    },
    "user groups (any)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "any",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (missing platform)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (missing version)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "darwin",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (all)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "all",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (empty string platform, empty string version)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "",
      "version": "",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (darwin,linux)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "darwin,linux",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (linux,darwin)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "linux,darwin",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    },
    "user groups (windows,chrome)": {
      "query": "select * from user_groups;",
      "interval": "3600",
      "platform": "windows,chrome",
      "version": "1.4.7",
      "description": "List of all user groups.",
      "value": "Identify unwanted user groups."
    }
  }
}