Mac OSX apps Lastly, you can grab all your installed Mac applications with: SELECT bundle_name FROM apps We’ve have provided a public Github repository which maps packages to CVEs. With this information, you can in fact query those external repositories to check for updates and use the vendor information to check for vulnerabilities. SELECT name, baseurl, enabled FROM yum_sources You can even use Osquery to check which repositories are in use using yum_sources for RPMs. What’s cool about being able to retrieve the installed package details (including the hash sha1/sha256) is that you can tie this against the public RPM and DEB package managers. SELECT name, version, source FROM deb_packages SELECT name, release, sha1 FROM rpm_packages Īnd for Debian. At the moment both RPM and DEB based package managers are supported. Linux packages The query used to find Linux packages depends on the package manager being used. SELECT name, install_location FROM programs WHERE install_location NOT LIKE 'C:\Program Files%' Or even find programs installed in non-standard Windows locations. SELECT name, version, identifying_number FROM programs When pooling these results the identifying_number will help identify unique versions of installed programs. Windows Programs Installed windows programs can be queried using the following query. Showing application information for Mac OS X Setting up the process_events table does require some additional command flags which we covered in the fore-mentioned blog post. The process_events table is helpful to capture every process that’s been spawned as the processes table is only a snapshot in time. One thing to note with this query is that if the parent process has exited, you won’t be able to iterate through the process tree. The process table also includes a column called on_disk which might help identify suspicious processes spawned from memory. You can use query recursion to iterate through parent processes to identify a given processes execution path. WITH RECURSIVE rc(pid, parent, name) AS ( SELECT pid, parent, name FROM processes WHERE pid = 55334 UNION ALL SELECT p.pid, p.parent, p.name FROM processes AS p, rc WHERE p.pid = rc.parent AND p.pid != 0 ) SELECT pid, parent, name FROM rc LIMIT 20 However, I want to cover a few neat tricks taking advantage of the SQLite engine used by OSquery. We published a previous post on this which covers collecting process information from the processes table and the corresponding application hashes as well as event information from process_events table. SELECT name, version, build, platform FROM os_version Processes and process events This is useful for identifying systems that may not be running the latest OS release. The os_version table provides operating system information and the current patch level. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, physical_memory, hardware_vendor, hardware_model FROM system_info A serial number in the case of Apple or Dell service tag. The hardware_serial column will also provide the manufactures hardware identifier. The system_info table also provides the system UUID to help uniquely identify the asset within your IT estate. The system_info table will provide basic system information around the CPU and available memory. The following system queries will run across all platforms. Osquery provides access to several tables relating to various aspects of system information. Information captured from systems using Osquery System information
0 Comments
Leave a Reply. |