API tools faq
paste
Guest User

Untitled

a guest
Jul 18th, 2018
106
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.40 KB | None | 0 0
raw download clone embed print report
  1. {
  2. "options": {
  3. "config_plugin": "filesystem",
  4. "logger_plugin": "filesystem",
  5. "logger_path": "/var/log/osquery",
  6. "disable_logging": "false",
  7. "log_result_events": "true",
  8. "schedule_splay_percent": "10",
  9. "pidfile": "/var/osquery/osquery.pidfile",
  10. "events_expiry": "3600",
  11. "database_path": "/var/osquery/osquery.db",
  12. "verbose": "false",
  13. "worker_threads": "2",
  14. "enable_monitor": "true",
  15. "disable_events": "false",
  16. "disable_audit": "false",
  17. "host_identifier": "hostname",
  18. "schedule_default_interval": "3600"
  19. },
  20.  
  21. "schedule": {
  22. "system_info": {
  23. "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
  24. "interval": 3600
  25. },
  26. "terminal_downloads_curl": {
  27. "query": "SELECT * FROM process_events WHERE cmdline LIKE '%curl%' AND (cmdline LIKE '%://%' OR cmdline LIKE '%.%');",
  28. "interval": 60
  29. },
  30. "bash_history_commandLine": {
  31. "query": "SELECT * FROM process_events WHERE cmdline LIKE '%.bash_history%';",
  32. "interval": 60
  33. },
  34. "bash_history_modification": {
  35. "query": "SELECT * FROM file_events WHERE target_path LIKE '%.bash_history%' AND action = 'DELETED';",
  36. "interval": 60
  37. },
  38. "gatekeeper_disabled": {
  39. "query": "select * from gatekeeper WHERE assessments_enabled = '0';",
  40. "interval": 60
  41. },
  42. "gatekeeper_disabled_spctl": {
  43. "query": "SELECT * FROM process_events WHERE cmdline LIKE '%spctl%' OR path = '/usr/sbin/spctl';",
  44. "interval": 60
  45. },
  46. "gatekeeper_allowed": {
  47. "query": "select * from gatekeeper_approved_apps;",
  48. "interval": 60
  49. },
  50. "quarantineAttribute_removal": {
  51. "query": "SELECT * FROM process_events WHERE cmdline LIKE '%com.apple.quarantine%';",
  52. "interval": 60
  53. },
  54. "xprotect_hits": {
  55. "query": "select * from xprotect_reports;",
  56. "interval": 60
  57. },
  58. "sip_disabled": {
  59. "query": "select * FROM sip_config where config_flag = 'sip' AND enabled = '0';",
  60. "interval": 60
  61. }
  62.  
  63.  
  64. },
  65.  
  66. "file_paths": {
  67. "homes": [
  68. "/Users/%/.bash_history"
  69. ]
  70. },
  71. // Decorators are normal queries that append data to every query.
  72. "decorators": {
  73. "load": [
  74. "SELECT uuid AS host_uuid FROM system_info;",
  75. "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
  76. "SELECT hostname AS host FROM system_info;"
  77. ]
  78. }
  79. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!