-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathosquery.conf
112 lines (104 loc) · 3.81 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
//"logger_plugin": "syslog", It only allows it to be written into syslog.
//"logger_plugin": "filesystem" It only allows writing to the file directory.
//"logger_plugin": "filesystem,syslog" It allows to be written into both the file and syslog.
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
//"database_path": "/var/osquery/osquery.db",
"verbose": "false",
"worker_threads": "2",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hostname",
"enable_syslog": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600"
},
"schedule": {
"proccesses_monitoring": {
"query": "SELECT *, ROUND(( (user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)) * 100, 2) AS cpu_usage FROM processes, (SELECT ( SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb, SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb FROM cpu_time) AS cpu_time;",
"interval": 60
},
"mounts_monitoring": {
"query": "SELECT * FROM mounts;",
"interval": 60
},
"logged_in_users_monitoring": {
"query": "SELECT * FROM logged_in_users WHERE type='user';",
"interval": 60
},
"application_monitoring": {
"query": "SELECT * FROM rpm_packages;",
// "query": "SELECT * FROM deb_packages;",
"interval": 60
},
"system_info_monitoring": {
"query": "SELECT * FROM system_info;",
"interval": 60
},
"usb_devices_monitoring": {
"query": "SELECT * FROM usb_devices;",
"interval": 60
},
"network_pos_monitoring": {
"query": "SELECT DISTINCT 'CONNECT' AS action, pid, local_address, local_port, remote_address, remote_port, family, protocol, path, NULL AS timestamp FROM process_open_sockets WHERE remote_address <> '' AND remote_port != 0 AND pid > 0;",
"interval": 60
},
"network_lip_monitoring": {
"query": "SELECT * FROM listening_ports WHERE port>0 and address!='::';",
"interval": 60
},
"file_events_monitoring": {
"query": "SELECT * FROM file_events;",
"interval": 60
},
"shadow_monitoring": {
"query": "SELECT * FROM shadow WHERE password_status='active';",
"interval": 60
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"services": [
"/usr/lib/systemd/system/%service",
"/usr/lib/systemd/system/%wants/%service",
"/usr/lib/systemd/system/%service.d/%service"
]
},
// "exclude_paths": {
// "homes": [
// "/home/not_to_monitor/.ssh/%%"
// ],
// "tmp": [
// "/tmp/too_many_events/"
// ]
//},
// Linux: /usr/share/osquery/packs
// OS X: /var/osquery/packs
// Homebrew: /usr/local/share/osquery/packs
// make install: {PREFIX}/share/osquery/packs
"packs": {
// "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
// "incident-response": "/usr/share/osquery/packs/incident-response.conf",
// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
// "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
// "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
// "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
// "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
}
}