clong · September 1, 2015 18:30
diff --git a/osquery.conf b/osquery.conf
 {
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "host_identifier": "hostname",
    "event_pubsub_expiry": "86000",
    "debug": "false",
    "verbose_debug": "false",
    "worker_threads": "4",
    "schedule_splay_percent": 10
  },
  "schedule": {
    "macosx_kextstat": {
      "query": "SELECT * FROM kernel_extensions where name not like 'com.apple.%';",
      "interval": 3600,
      "description": "Monitor for kernel extenstions that aren't signed by apple"
    },
    "disk_encryption": {
      "query": "SELECT * FROM disk_encryption where name='/dev/disk1' AND encrypted!=1;",
      "interval": 3600,
      "description": "Monitor for laptops that don't have their primary disk encrypted."
    },
    "listening_ports": {
      "query": "SELECT DISTINCT process.name, listening.port, process.pid
      FROM processes AS process
      JOIN listening_ports AS listening ON process.pid = listening.pid
      WHERE listening.address = '0.0.0.0'
      AND name NOT IN ('launchd', 'UserEventAgent', 'dsAccessService', 'mDNSResponder', 'ntpd', 'SystemUIServer', 'Dropbox', 'Spotify');",
      "interval": 600,
      "description": "Display the processes that are listening on a system"
    },
    "startup_items": {
      "query": "SELECT * FROM startup_items;",
      "interval": 3600,
      "description": "Display the applications that are scheduled to run when the system boots"
    },
    "launchd_not_in_system": {
      "query": "SELECT path FROM launchd where path not like '/System/%';",
      "interval": 3600,
      "description": "Display the launch items that are not pre-installed by Apple"
    },
    "yosemite_cloud_pairing": {
      "query": "SELECT domain, value FROM preferences where domain='com.apple.ids.service.com.apple.private.alloy.icloudpairing.plist';",
      "interval": 3600,
      "description": "Display the email address that is paired to iCloud"
    },
    "suid_bin_not_root": {
      "query": "SELECT * FROM suid_bin where username!='root';",
      "interval": 600,
      "description": "Display any SUID binaries that are owned by root"
    },
    "installed_software": {
      "query": "SELECT distinct package_filename FROM package_receipts;",
      "interval": 3600,
      "description": "Display all installed software packages via package receipts"
    },
    "browser_plugins": {
      "query": "SELECT * FROM browser_plugins;",
      "interval": 3600,
      "description": "Display all browser plugins"
    },
    "chrome_extensions": {
      "query": "SELECT author, name FROM chrome_extensions;",
      "interval": 3600,
      "description": "Display all installed Chrome extensions"
    },
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 3600,
      "description": "Display any crontab entries"
    },
    "process_listing": {
      "query": "SELECT pid, name, path FROM processes;",
      "interval": 600,
      "description": "Display a detailed list of running processes"
    },
    "connected_sockets": {
      "query": "select DISTINCT process.pid, processes.name, process.protocol, process.local_address, process.local_port, process.remote_address, process.remote_port
      FROM process_open_sockets as process
      JOIN processes as processes ON process.pid = processes.pid
      WHERE process.local_address != '127.0.0.1' AND process.protocol!='0'
      AND process.remote_address NOT IN ('127.0.0.1','0.0.0.0','::','');",
      "interval": 3600,
      "description": "Display a list of processes and their sockets"
    }
  },
  "schedule": {
    "osx_attacks": {
      "interval": 10,
      "snapshot": true
    },
    "it_compliance": {
      "interval": 10,
      "snapshot": true
    }
  },
  "packs": {
    "osx_attacks": "/var/osquery/packs/osx-attacks.conf",
    "it_compliance": "/var/osquery/packs/it-compliance.conf"
  }
 }
	{
	"options": {
	"config_plugin": "filesystem",
	"logger_plugin": "filesystem",
	"host_identifier": "hostname",
	"event_pubsub_expiry": "86000",
	"debug": "false",
	"verbose_debug": "false",
	"worker_threads": "4",
	"schedule_splay_percent": 10
	},
	"schedule": {
	"macosx_kextstat": {
	"query": "SELECT * FROM kernel_extensions where name not like 'com.apple.%';",
	"interval": 3600,
	"description": "Monitor for kernel extenstions that aren't signed by apple"
	},
	"disk_encryption": {
	"query": "SELECT * FROM disk_encryption where name='/dev/disk1' AND encrypted!=1;",
	"interval": 3600,
	"description": "Monitor for laptops that don't have their primary disk encrypted."
	},
	"listening_ports": {
	"query": "SELECT DISTINCT process.name, listening.port, process.pid
	FROM processes AS process
	JOIN listening_ports AS listening ON process.pid = listening.pid
	WHERE listening.address = '0.0.0.0'
	AND name NOT IN ('launchd', 'UserEventAgent', 'dsAccessService', 'mDNSResponder', 'ntpd', 'SystemUIServer', 'Dropbox', 'Spotify');",
	"interval": 600,
	"description": "Display the processes that are listening on a system"
	},
	"startup_items": {
	"query": "SELECT * FROM startup_items;",
	"interval": 3600,
	"description": "Display the applications that are scheduled to run when the system boots"
	},
	"launchd_not_in_system": {
	"query": "SELECT path FROM launchd where path not like '/System/%';",
	"interval": 3600,
	"description": "Display the launch items that are not pre-installed by Apple"
	},
	"yosemite_cloud_pairing": {
	"query": "SELECT domain, value FROM preferences where domain='com.apple.ids.service.com.apple.private.alloy.icloudpairing.plist';",
	"interval": 3600,
	"description": "Display the email address that is paired to iCloud"
	},
	"suid_bin_not_root": {
	"query": "SELECT * FROM suid_bin where username!='root';",
	"interval": 600,
	"description": "Display any SUID binaries that are owned by root"
	},
	"installed_software": {
	"query": "SELECT distinct package_filename FROM package_receipts;",
	"interval": 3600,
	"description": "Display all installed software packages via package receipts"
	},
	"browser_plugins": {
	"query": "SELECT * FROM browser_plugins;",
	"interval": 3600,
	"description": "Display all browser plugins"
	},
	"chrome_extensions": {
	"query": "SELECT author, name FROM chrome_extensions;",
	"interval": 3600,
	"description": "Display all installed Chrome extensions"
	},
	"crontab": {
	"query": "SELECT * FROM crontab;",
	"interval": 3600,
	"description": "Display any crontab entries"
	},
	"process_listing": {
	"query": "SELECT pid, name, path FROM processes;",
	"interval": 600,
	"description": "Display a detailed list of running processes"
	},
	"connected_sockets": {
	"query": "select DISTINCT process.pid, processes.name, process.protocol, process.local_address, process.local_port, process.remote_address, process.remote_port
	FROM process_open_sockets as process
	JOIN processes as processes ON process.pid = processes.pid
	WHERE process.local_address != '127.0.0.1' AND process.protocol!='0'
	AND process.remote_address NOT IN ('127.0.0.1','0.0.0.0','::','');",
	"interval": 3600,
	"description": "Display a list of processes and their sockets"
	}
	},
	"schedule": {
	"osx_attacks": {
	"interval": 10,
	"snapshot": true
	},
	"it_compliance": {
	"interval": 10,
	"snapshot": true
	}
	},
	"packs": {
	"osx_attacks": "/var/osquery/packs/osx-attacks.conf",
	"it_compliance": "/var/osquery/packs/it-compliance.conf"
	}
	}