Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "options": {
- "config_plugin": "filesystem",
- "logger_plugin": "filesystem",
- "logger_path": "/var/log/osquery",
- "disable_logging": "false",
- "log_result_events": "true",
- "schedule_splay_percent": "10",
- "pidfile": "/var/osquery/osquery.pidfile",
- "events_expiry": "3600",
- "database_path": "/var/osquery/osquery.db",
- "verbose": "false",
- "worker_threads": "2",
- "enable_monitor": "true",
- "disable_events": "false",
- "disable_audit": "false",
- "host_identifier": "hostname",
- "schedule_default_interval": "3600"
- },
- "schedule": {
- "system_info": {
- "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
- "interval": 3600
- },
- "terminal_downloads_curl": {
- "query": "SELECT * FROM process_events WHERE cmdline LIKE '%curl%' AND (cmdline LIKE '%://%' OR cmdline LIKE '%.%');",
- "interval": 60
- },
- "bash_history_commandLine": {
- "query": "SELECT * FROM process_events WHERE cmdline LIKE '%.bash_history%';",
- "interval": 60
- },
- "bash_history_modification": {
- "query": "SELECT * FROM file_events WHERE target_path LIKE '%.bash_history%' AND action = 'DELETED';",
- "interval": 60
- },
- "gatekeeper_disabled": {
- "query": "select * from gatekeeper WHERE assessments_enabled = '0';",
- "interval": 60
- },
- "gatekeeper_disabled_spctl": {
- "query": "SELECT * FROM process_events WHERE cmdline LIKE '%spctl%' OR path = '/usr/sbin/spctl';",
- "interval": 60
- },
- "gatekeeper_allowed": {
- "query": "select * from gatekeeper_approved_apps;",
- "interval": 60
- },
- "quarantineAttribute_removal": {
- "query": "SELECT * FROM process_events WHERE cmdline LIKE '%com.apple.quarantine%';",
- "interval": 60
- },
- "xprotect_hits": {
- "query": "select * from xprotect_reports;",
- "interval": 60
- },
- "sip_disabled": {
- "query": "select * FROM sip_config where config_flag = 'sip' AND enabled = '0';",
- "interval": 60
- }
- },
- "file_paths": {
- "homes": [
- "/Users/%/.bash_history"
- ]
- },
- // Decorators are normal queries that append data to every query.
- "decorators": {
- "load": [
- "SELECT uuid AS host_uuid FROM system_info;",
- "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
- "SELECT hostname AS host FROM system_info;"
- ]
- }
- }
Add Comment
Please, Sign In to add comment