richiercyrus · September 8, 2022 12:35
diff --git a/osquery.conf b/osquery.conf
 {
  "options": {
     "config_plugin": "filesystem",
     "logger_plugin": "filesystem",
     "logger_path": "/var/log/osquery",
     "disable_logging": "false",
     "log_result_events": "true",
     "schedule_splay_percent": "10",
     "pidfile": "/var/osquery/osquery.pidfile",
     "events_expiry": "3600",
     "database_path": "/var/osquery/osquery.db",
     "verbose": "false",
     "worker_threads": "2",
     "enable_monitor": "true",
     "disable_events": "false",
     "disable_audit": "false",
     "host_identifier": "hostname",
     "schedule_default_interval": "3600" 
   },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;"
    },
    "terminal_downloads_curl": {
      "query": "SELECT * FROM process_events WHERE cmdline LIKE '%curl%' AND (cmdline LIKE '%://%' OR cmdline LIKE '%.%');",
      "interval": 1800
   }, 
   "terminal_downloads_python": {
      "query": "SELECT * FROM process_events WHERE cmdline LIKE '%python%' AND (cmdline LIKE '%://%');",
      "interval": 1800
   }, 
   "bash_history_commandLine": {
      "query": "SELECT * FROM process_events WHERE cmdline LIKE '%.bash_history%';",
      "interval": 7200
   },
    "bash_history_modification": {
      "query": "SELECT * FROM file_events WHERE target_path LIKE '%.bash_history%' AND action = 'DELETED';",
      "interval": 7200
   },
    "gatekeeper_disabled": {
      "query": "select * from gatekeeper WHERE assessments_enabled = '0';",
      "interval": 14400
    },
    "gatekeeper_disabled_spctl": {
      "query": "SELECT * FROM process_events WHERE cmdline LIKE '%spctl%' OR path = '/usr/sbin/spctl';",
      "interval": 7200
    },
    "gatekeeper_allowed": {                                
      "query": "select * from gatekeeper_approved_apps;",
      "interval": 14400
    },
   "quarantineAttribute_removal": {
      "query": "SELECT * FROM process_events WHERE cmdline LIKE '%com.apple.quarantine%';",
      "interval": 1800
    },
   "xprotect_hits": {
      "query": "select * from xprotect_reports;",
      "interval": 1800
    },
   "sip_disabled": {
      "query": "select * FROM sip_config where config_flag = 'sip' AND enabled = '0';",
      "interval": 28800
    }


  },
  
  "file_paths": {
    "homes": [
      "/Users/%/.bash_history"
    ]
  },  
  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
      "SELECT hostname AS host FROM system_info;"
    ]
  }
 }
	{
	"options": {
	"config_plugin": "filesystem",
	"logger_plugin": "filesystem",
	"logger_path": "/var/log/osquery",
	"disable_logging": "false",
	"log_result_events": "true",
	"schedule_splay_percent": "10",
	"pidfile": "/var/osquery/osquery.pidfile",
	"events_expiry": "3600",
	"database_path": "/var/osquery/osquery.db",
	"verbose": "false",
	"worker_threads": "2",
	"enable_monitor": "true",
	"disable_events": "false",
	"disable_audit": "false",
	"host_identifier": "hostname",
	"schedule_default_interval": "3600"
	},

	"schedule": {
	"system_info": {
	"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;"
	},
	"terminal_downloads_curl": {
	"query": "SELECT * FROM process_events WHERE cmdline LIKE '%curl%' AND (cmdline LIKE '%://%' OR cmdline LIKE '%.%');",
	"interval": 1800
	},
	"terminal_downloads_python": {
	"query": "SELECT * FROM process_events WHERE cmdline LIKE '%python%' AND (cmdline LIKE '%://%');",
	"interval": 1800
	},
	"bash_history_commandLine": {
	"query": "SELECT * FROM process_events WHERE cmdline LIKE '%.bash_history%';",
	"interval": 7200
	},
	"bash_history_modification": {
	"query": "SELECT * FROM file_events WHERE target_path LIKE '%.bash_history%' AND action = 'DELETED';",
	"interval": 7200
	},
	"gatekeeper_disabled": {
	"query": "select * from gatekeeper WHERE assessments_enabled = '0';",
	"interval": 14400
	},
	"gatekeeper_disabled_spctl": {
	"query": "SELECT * FROM process_events WHERE cmdline LIKE '%spctl%' OR path = '/usr/sbin/spctl';",
	"interval": 7200
	},
	"gatekeeper_allowed": {
	"query": "select * from gatekeeper_approved_apps;",
	"interval": 14400
	},
	"quarantineAttribute_removal": {
	"query": "SELECT * FROM process_events WHERE cmdline LIKE '%com.apple.quarantine%';",
	"interval": 1800
	},
	"xprotect_hits": {
	"query": "select * from xprotect_reports;",
	"interval": 1800
	},
	"sip_disabled": {
	"query": "select * FROM sip_config where config_flag = 'sip' AND enabled = '0';",
	"interval": 28800
	}


	},

	"file_paths": {
	"homes": [
	"/Users/%/.bash_history"
	]
	},
	// Decorators are normal queries that append data to every query.
	"decorators": {
	"load": [
	"SELECT uuid AS host_uuid FROM system_info;",
	"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
	"SELECT hostname AS host FROM system_info;"
	]
	}
	}