Corentin B. Saluki

Saluki / container-osquery_privileged.sql

Created January 25, 2019 14:15

MEDIUM - Container OSQuery - Privileged containers

	-- Detect privileged containers
	SELECT name, image, status
	FROM docker_containers
	WHERE privileged=1;

Saluki / container-osquery_users.sql

Created January 25, 2019 14:22

MEDIUM - Container OSQuery - Docker users

	-- See users who can access the Docker daemon
	SELECT u.username
	FROM user_groups ug
	LEFT JOIN users u ON u.uid=ug.uid
	WHERE ug.gid IN (
	SELECT gid FROM groups WHERE groupname="docker"
	);

Saluki / container-osquery_environment.sql

Created January 28, 2019 10:35

MEDIUM - Container OSQuery - Environment variables

	-- Search for a specific environment variable in all containers
	SELECT name, env_variables
	FROM docker_containers
	WHERE env_variables LIKE "%NGINX_VERSION%";

Saluki / container-osquery_apparmor.sql

Created January 28, 2019 10:38

MEDIUM - Container OSQuery - AppArmor filtering

	-- Detect profiles that are not running with AppArmor
	SELECT name, image, state
	FROM docker_containers
	WHERE security_options NOT LIKE "%apparmor%";

Saluki / container-osquery_root.sql

Created January 28, 2019 10:44

MEDIUM - Container OSQuery - Root containers

	-- Detect contains with process that run with the root user
	SELECT containers.name, processes.pid, processes.name, cmdline, user
	FROM docker_container_processes processes
	JOIN docker_containers containers ON containers.id=processes.id
	WHERE processes.id IN (
	SELECT id FROM docker_containers
	) AND user="root";

Saluki / container-osquery_unused.sql

Created January 28, 2019 10:46

MEDIUM - Container OSQuery - Unused images

	-- Retrieve images not used in active containers
	SELECT id, tags
	FROM docker_images
	WHERE id NOT IN (
	SELECT image_id FROM docker_containers
	);