Skip to content

Instantly share code, notes, and snippets.

View Saluki's full-sized avatar

Corentin B. Saluki

View GitHub Profile
@Saluki
Saluki / container-osquery_unused.sql
Created January 28, 2019 10:46
MEDIUM - Container OSQuery - Unused images
-- Retrieve images not used in active containers
SELECT id, tags
FROM docker_images
WHERE id NOT IN (
SELECT image_id FROM docker_containers
);
@Saluki
Saluki / container-osquery_root.sql
Created January 28, 2019 10:44
MEDIUM - Container OSQuery - Root containers
-- Detect contains with process that run with the root user
SELECT containers.name, processes.pid, processes.name, cmdline, user
FROM docker_container_processes processes
JOIN docker_containers containers ON containers.id=processes.id
WHERE processes.id IN (
SELECT id FROM docker_containers
) AND user="root";
@Saluki
Saluki / container-osquery_apparmor.sql
Created January 28, 2019 10:38
MEDIUM - Container OSQuery - AppArmor filtering
-- Detect profiles that are not running with AppArmor
SELECT name, image, state
FROM docker_containers
WHERE security_options NOT LIKE "%apparmor%";
@Saluki
Saluki / container-osquery_environment.sql
Created January 28, 2019 10:35
MEDIUM - Container OSQuery - Environment variables
-- Search for a specific environment variable in all containers
SELECT name, env_variables
FROM docker_containers
WHERE env_variables LIKE "%NGINX_VERSION%";
@Saluki
Saluki / container-osquery_users.sql
Created January 25, 2019 14:22
MEDIUM - Container OSQuery - Docker users
-- See users who can access the Docker daemon
SELECT u.username
FROM user_groups ug
LEFT JOIN users u ON u.uid=ug.uid
WHERE ug.gid IN (
SELECT gid FROM groups WHERE groupname="docker"
);
@Saluki
Saluki / container-osquery_privileged.sql
Created January 25, 2019 14:15
MEDIUM - Container OSQuery - Privileged containers
-- Detect privileged containers
SELECT name, image, status
FROM docker_containers
WHERE privileged=1;