gyrospectre · December 30, 2019 01:03
diff --git a/options.yaml b/options.yaml
 apiVersion: v1
 kind: options
 spec:
  config:
    decorators:
      load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
      - SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time LIMIT 1
    options:
      disable_distributed: false
      distributed_interval: 10
      distributed_plugin: tls
      distributed_tls_max_attempts: 3
      logger_plugin: tls
      logger_tls_endpoint: /api/v1/osquery/log
      logger_tls_period: 10
      pack_delimiter: /
  overrides:
    platforms:
      darwin:
        options:
          distributed_interval: 10
          distributed_tls_max_attempts: 10
          logger_plugin: tls
          logger_tls_endpoint: /api/v1/osquery/log
          logger_tls_period: 300
          disable_tables: chrome_extensions
          docker_socket: /var/run/docker.sock
        file_paths:
          users:
            - /Users/%/Library/%%
            - /Users/%/Documents/%%
          etc:
            - /etc/%%
        auto_table_construction:
          quarantine_items:
            query: SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuara
 ntineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent
            path: /Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
            columns:
            - id
            - type
            - agent_name
            - agent_bundle_identifier
            - timestamp
            - sender_name
            - sender_address
            - origin_url
            - data_url
          chrome_browser_history:
            query: SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit f
 rom_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id
            path: /Users/%/Library/Application Support/Google/Chrome/%/History
            columns:
            - path
            - id
            - url
            - title
            - visit_count
            - typed_count
            - last_visit_time
	apiVersion: v1
	kind: options
	spec:
	config:
	decorators:
	load:
	- SELECT uuid AS host_uuid FROM system_info;
	- SELECT hostname AS hostname FROM system_info;
	- SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time LIMIT 1
	options:
	disable_distributed: false
	distributed_interval: 10
	distributed_plugin: tls
	distributed_tls_max_attempts: 3
	logger_plugin: tls
	logger_tls_endpoint: /api/v1/osquery/log
	logger_tls_period: 10
	pack_delimiter: /
	overrides:
	platforms:
	darwin:
	options:
	distributed_interval: 10
	distributed_tls_max_attempts: 10
	logger_plugin: tls
	logger_tls_endpoint: /api/v1/osquery/log
	logger_tls_period: 300
	disable_tables: chrome_extensions
	docker_socket: /var/run/docker.sock
	file_paths:
	users:
	- /Users/%/Library/%%
	- /Users/%/Documents/%%
	etc:
	- /etc/%%
	auto_table_construction:
	quarantine_items:
	query: SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuara
	ntineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent
	path: /Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
	columns:
	- id
	- type
	- agent_name
	- agent_bundle_identifier
	- timestamp
	- sender_name
	- sender_address
	- origin_url
	- data_url
	chrome_browser_history:
	query: SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit f
	rom_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id
	path: /Users/%/Library/Application Support/Google/Chrome/%/History
	columns:
	- path
	- id
	- url
	- title
	- visit_count
	- typed_count
	- last_visit_time