{ "os_version": { "query": "select * from os_version;", "description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.", "purlType": "swid", "componentType": "operating-system" }, "kernel_info": { "query": "select * from kernel_info;", "name": "os-image", "description": "Retrieves information from the current kernel in the target system.", "purlType": "swid", "componentType": "operating-system" }, "chrome_extensions": { "query": "select chrome_extensions.* from users join chrome_extensions using (uid);", "description": "Retrieves the list of extensions for Chrome in the target system.", "purlType": "chrome-extension", "componentType": "application" }, "firefox_addons": { "query": "select firefox_addons.* from users join firefox_addons using (uid);", "description": "Retrieves the list of addons for Firefox in the target system.", "purlType": "swid", "componentType": "application" }, "vscode_extensions": { "query": "select vscode_extensions.* from users join vscode_extensions using (uid);", "description": "Lists all vscode extensions.", "purlType": "vscode-extension", "componentType": "application" }, "deb_packages": { "query": "select * from deb_packages;", "description": "Retrieves all the installed DEB packages in the target Linux system.", "purlType": "deb" }, "apt_sources": { "query": "select * from apt_sources;", "description": "Retrieves all the APT sources to install packages from in the target Linux system.", "purlType": "generic", "componentType": "data" }, "apt_ppa_sources": { "query": "SELECT COALESCE(name, base_uri, source) as name, release as version, maintainer as publisher, source as description, source, base_uri, release, components, architectures FROM apt_sources WHERE base_uri LIKE '%ppa.launchpadcontent.net%' OR base_uri LIKE '%ppa.launchpad.net%';", "description": "APT Personal Package Archive (PPA) sources configured on the target Linux system.", "purlType": "generic", "componentType": "data" }, "yum_sources": { "query": "select * from yum_sources;", "description": "Display yum package manager sources.", "purlType": "generic", "componentType": "data" }, "trusted_gpg_keys": { "query": "SELECT COALESCE(file.filename, file.path) as name, hash.sha256 as version, file.path as description, file.path, file.directory, file.filename, file.uid, file.gid, file.mode, file.size, file.mtime, hash.sha1, hash.sha256, CASE WHEN file.path LIKE '/etc/apt/%' OR file.path LIKE '/usr/share/keyrings/%' THEN 'apt' WHEN file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' THEN 'rpm' WHEN file.path LIKE '/etc/apk/keys/%' THEN 'apk' ELSE 'generic' END AS trust_domain FROM file JOIN hash USING (path) WHERE (file.path = '/etc/apt/trusted.gpg' OR file.path LIKE '/etc/apt/trusted.gpg.d/%' OR file.path LIKE '/usr/share/keyrings/%' OR file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' OR file.path LIKE '/etc/apk/keys/%') AND file.type = 'regular';", "description": "Trusted repository keyring material for APT, RPM/DNF, and APK package trust validation.", "purlType": "generic", "componentType": "cryptographic-asset" }, "portage_packages": { "query": "select * from portage_packages;", "description": "Retrieves all the installed packages on the target Linux system.", "purlType": "ebuild" }, "rpm_packages": { "query": "select * from rpm_packages;", "description": "Retrieves all the installed RPM packages in the target Linux system.", "purlType": "rpm" }, "python_packages": { "query": "select * from python_packages;", "description": "Python packages installed on system.", "purlType": "pypi" }, "npm_packages": { "query": "SELECT * FROM npm_packages;", "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.", "purlType": "npm" }, "system_info_snapshot": { "query": "SELECT * FROM system_info;", "description": "System info snapshot query.", "purlType": "swid", "componentType": "data" }, "users_snapshot": { "query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid FROM users;", "description": "Local user inventory for account and shell posture analysis.", "purlType": "swid", "componentType": "data" }, "logged_in_users_snapshot": { "query": "SELECT user as name, '' as version, type as description, pid, tty, host, time FROM logged_in_users;", "description": "Interactive and remote user sessions currently active on the host.", "purlType": "swid", "componentType": "data" }, "shell_history_snapshot": { "query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);", "description": "User shell command history metadata for investigation support.", "purlType": "swid", "componentType": "data" }, "authorized_keys_snapshot": { "query": "SELECT users.username as name, authorized_keys.algorithm as version, authorized_keys.comment as description, authorized_keys.key_file, authorized_keys.options, authorized_keys.uid FROM users JOIN authorized_keys USING (uid);", "description": "Authorized SSH key metadata per account without exporting key material.", "purlType": "swid", "componentType": "data" }, "sudoers_snapshot": { "query": "SELECT header as name, source as path, rule_details as description FROM sudoers;", "description": "Sudo policy entries for least-privilege and privileged access review.", "purlType": "swid", "componentType": "data" }, "etc_hosts": { "query": "SELECT * FROM etc_hosts;", "description": "List the contents of the Windows hosts file.", "purlType": "swid", "componentType": "data" }, "crontab_snapshot": { "query": "SELECT * FROM crontab;", "description": "Retrieves all the jobs scheduled in crontab in the target system.", "purlType": "swid", "componentType": "data" }, "sysctl_hardening": { "query": "SELECT name, current_value as version, name as sysctl_key, current_value FROM sysctl WHERE name IN ('kernel.randomize_va_space', 'kernel.kptr_restrict', 'net.ipv4.conf.all.accept_redirects', 'net.ipv4.conf.default.accept_redirects', 'net.ipv4.conf.all.send_redirects', 'net.ipv4.conf.default.send_redirects');", "description": "Linux sysctl posture entries aligned with common hardening baselines.", "purlType": "swid", "componentType": "data" }, "kernel_modules": { "query": "SELECT * FROM kernel_modules;", "description": "Linux kernel modules both loaded and within the load search path.", "purlType": "swid", "componentType": "data" }, "secureboot_certificates": { "query": "SELECT COALESCE(common_name, subject, sha1) as name, COALESCE(subject_key_id, sha1) as version, issuer as publisher, subject as description, common_name, subject, issuer, serial, sha1, revoked, path, is_ca, self_signed, key_usage, authority_key_id, subject_key_id, signing_algorithm, key_algorithm, key_strength, not_valid_before, not_valid_after FROM secureboot_certificates;", "description": "UEFI Secure Boot certificate inventory, including trusted and revoked entries, for firmware trust posture reviews.", "purlType": "swid", "componentType": "data" }, "mount_hardening": { "query": "SELECT path as name, flags as version, device as description, path, device, type, flags FROM mounts WHERE path IN ('/tmp', '/var/tmp', '/dev/shm', '/home');", "description": "Linux mount points commonly reviewed for noexec, nodev, and nosuid hardening.", "purlType": "swid", "componentType": "data" }, "systemd_units": { "query": "SELECT id as name, active_state as version, description, load_state, sub_state, unit_file_state, user, fragment_path, source_path FROM systemd_units;", "description": "Systemd unit state and execution source inventory.", "purlType": "swid", "componentType": "application" }, "etc_services": { "query": "SELECT * FROM etc_services;", "description": "Service-to-port mappings configured in /etc/services.", "purlType": "swid", "componentType": "data" }, "behavioral_reverse_shell": { "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", "description": "Find shell processes that have open sockets.", "purlType": "swid", "componentType": "data" }, "process_events": { "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", "description": "Process events collected from the audit framework.", "purlType": "swid", "componentType": "data" }, "sudo_executions": { "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.path IN ('/usr/bin/sudo', '/usr/bin/pkexec', '/usr/bin/doas', '/bin/su', '/usr/bin/su') OR process_events.cmdline LIKE 'sudo %' OR process_events.cmdline LIKE 'pkexec %' OR process_events.cmdline LIKE '% pkexec %' OR process_events.cmdline LIKE 'doas %' OR process_events.cmdline LIKE '% doas %' OR process_events.cmdline LIKE 'su %') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';", "description": "Privileged execution events involving sudo, pkexec, doas, or su.", "purlType": "swid", "componentType": "application" }, "privilege_transitions": { "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.uid != process_events.euid OR process_events.gid != process_events.egid) AND process_events.path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';", "description": "Process executions where real and effective privileges differ.", "purlType": "swid", "componentType": "application" }, "elevated_processes": { "query": "SELECT DISTINCT process.name, process.path, process.cmdline, process.cwd, process.root, process.uid, process.gid, process.pid, process.parent, process.start_time, process.on_disk, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;", "description": "Processes running as root or service-style system accounts with lineage hints.", "purlType": "swid", "componentType": "application" }, "ld_preload": { "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", "description": "Any processes that run with an LD_PRELOAD environment variable.", "purlType": "swid", "componentType": "data" }, "certificates": { "query": "SELECT * FROM certificates WHERE path != 'Other People';", "description": "List all certificates in the trust store.", "purlType": "swid", "componentType": "data" }, "processes": { "query": "SELECT * FROM processes;", "description": "List all processes.", "purlType": "swid", "componentType": "data" }, "process_open_sockets": { "query": "SELECT * FROM process_open_sockets WHERE remote_address NOT IN ('0.0.0.0', '::', '');", "description": "Network sockets opened by processes with non-empty remote endpoints.", "purlType": "swid", "componentType": "data" }, "startup_items": { "query": "SELECT * FROM startup_items;", "description": "List all startup_items.", "purlType": "swid", "componentType": "data" }, "listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;", "description": "List all processes and their listening_ports.", "purlType": "swid", "componentType": "application" }, "privileged_listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.gid, process.on_disk, process.parent, process.start_time, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;", "description": "Listening ports owned by root or service-style processes with lineage and path hints.", "purlType": "swid", "componentType": "application" }, "interface_addresses": { "query": "SELECT * FROM interface_addresses;", "description": "List all interface_addresses.", "purlType": "swid", "componentType": "data" }, "docker_container_ports": { "query": "SELECT * FROM docker_container_ports;", "description": "List all docker_container_ports.", "purlType": "swid", "componentType": "data" }, "docker_containers": { "query": "SELECT * FROM docker_containers;", "description": "List all docker_containers.", "purlType": "swid", "componentType": "data" }, "docker_networks": { "query": "SELECT * FROM docker_networks;", "description": "List all docker_networks.", "purlType": "swid", "componentType": "data" }, "docker_volumes": { "query": "SELECT * FROM docker_volumes;", "description": "List all docker_volumes.", "purlType": "swid", "componentType": "data" } }