mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 00:18:27 +00:00
633f969ce9
The example queries that we provide for the `chrome_extensions` and `firefox_addons` table produce a syntax error because they use CROSS JOIN instead of INNER JOIN. --------- Co-authored-by: Eric <eashaw@sailsjs.com>
127 lines
3.3 KiB
YAML
127 lines
3.3 KiB
YAML
name: chrome_extensions
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- chrome
|
|
description: The `chrome_extensions` table maps browser extensions installed in [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser)) browsers like [Google Chrome](https://en.wikipedia.org/wiki/Google_Chrome), [Edge](https://en.wikipedia.org/wiki/Microsoft_Edge), [Brave](https://en.wikipedia.org/wiki/Brave_(web_browser)), [Opera](https://en.wikipedia.org/wiki/Opera_(web_browser)), and [Yandex](https://en.wikipedia.org/wiki/Yandex_Browser).
|
|
examples: |-
|
|
|
|
Because browser data lives in user space, this query uses a join to include a UID:
|
|
|
|
```
|
|
SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);
|
|
```
|
|
|
|
This query shows Chrome extensions that have full access to HTTPS browsing;
|
|
|
|
```
|
|
SELECT u.username, ce.name, ce.description, ce.version, ce.profile, ce.permissions FROM users u INNER JOIN chrome_extensions ce USING (uid) WHERE ce.permissions LIKE '%%https://*/*%%';
|
|
```
|
|
|
|
notes: |-
|
|
Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
|
|
|
|
On ChromeOS, this table requires the [fleetd Chrome extension](https://fleetdm.com/docs/using-fleet/chromeos).
|
|
|
|
Examples of [malicious Chrome extensions](https://palant.info/2023/06/08/another-cluster-of-potentially-malicious-chrome-extensions/)
|
|
|
|
Loosely restricted extension permissions can be an [indicator of malicious intent](https://developer.chrome.com/docs/extensions/reference/api/permissions)
|
|
|
|
Tracking browser extensions in an organization can help with:
|
|
|
|
- Compliance audits: Ensure extensions comply with company policies
|
|
- Security training: Educate users about Chrome extension risks
|
|
- Incident response: Identify suspicious or vulnerable extensions
|
|
|
|
columns:
|
|
- name: uid
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: profile
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: profile_path
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: referenced_identifier
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: default_locale
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: current_locale
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: author
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: persistent
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: path
|
|
type: text
|
|
description: Path to extension folder. Defaults to '' on ChromeOS
|
|
- name: optional_permissions
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: optional_permissions_json
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: manifest_hash
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: referenced
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: from_webstore
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: state
|
|
type: text
|
|
- name: install_time
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: install_timestamp
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: manifest_json
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|
|
- name: key
|
|
platforms:
|
|
- darwin
|
|
- windows
|
|
- linux
|