Default ubuntu_seed Profile

Default ubuntu_seed Profile

This Uptycs seed profile consists a default set of queries and interval timings for Ubuntu and other Debian based distributions.


Name
Query
Interval
Minimum osquery Version
Description
acpi_tables
SELECT * FROM acpi_tables;
 3600 1.3.0  










apk_packages
SELECT *
 7200 4.2.0.6  
  FROM apk_packages

 
  WHERE system_type IN ('docker_container', 'crio_container')      





apparmor_profiles
SELECT *
 19800 4.2.0.1

FROM apparmor_profiles;







apt_sources
SELECT *
 19800 1.3.0

FROM apt_sources;







arp_cache
SELECT *
 600 1.1.0

FROM arp_cache;







atom_packages
SELECT *
 43200 4.2.0.1

FROM atom_packages;







audit_status
SELECT *
 600 3.3.2.30

FROM audit_status;







authorized_keys
SELECT *
 3600 1.6.1

FROM authorized_keys



WHERE authorized_keys.uid IN (



    SELECT uid



    FROM users



  );







block_devices
SELECT *
 3600 1.0.4

FROM block_devices;







carbon_black_info
SELECT *
 7200 2.0.0

FROM carbon_black_info;







certificates
SELECT *
 3600 1.4.3

FROM certificates;

















chrome_extension_content_scripts
SELECT *
 7200 4.4.0.5

FROM chrome_extension_content_scripts



WHERE chrome_extension_content_scripts.uid IN (



    SELECT uid



    FROM users



  );







chrome_extensions
SELECT *
 7200 1.4.3

FROM chrome_extensions



WHERE chrome_extensions.uid IN (



    SELECT uid



    FROM users



  );







cpu_time
SELECT *
 300 1.7.2

FROM cpu_time;







cpuid
SELECT *
 3600 1.0.4

FROM cpuid;







crio_container_labels
SELECT *
 600 4.2.0.6

FROM crio_container_labels;







crio_container_mounts
SELECT *
 600 4.2.0.6

FROM crio_container_mounts;







crio_container_stats
SELECT *
 600 4.2.0.6

FROM crio_container_stats;







crio_containers
SELECT *
 600 4.2.0.6

FROM crio_containers;







crio_image_fs_info
SELECT *
 600 4.2.0.6

FROM crio_image_fs_info;







crio_images
SELECT *
 3600 4.2.0.6

FROM crio_images;







crio_pod_sandbox_labels
SELECT *
 600 4.2.0.6

FROM crio_pod_sandbox_labels;







crio_pod_sandboxes
SELECT *
 600 4.2.0.6

FROM crio_pod_sandboxes;







crio_status
SELECT *
 3600 4.2.0.6

FROM crio_status;







crio_version
SELECT *
 3600 4.2.0.6

FROM crio_version;







crontab
SELECT *
 7200 1.0.4

FROM crontab;







deb_packages
SELECT *
 19800 1.0.2

FROM deb_packages;







deb_packages
SELECT *
 7200 4.2.0.6

FROM deb_packages



WHERE system_type IN ('host', 'docker_container', 'crio_container')







diag_watcher_stats
SELECT *
 3600 3.3.2.32

FROM diag_watcher_stats;







disk_encryption
SELECT *
 3600 1.4.5

FROM disk_encryption;







dns_resolvers
SELECT *
 600 1.7.1

FROM dns_resolvers;







docker_container_labels
SELECT *
 600 2.4.4

FROM docker_container_labels;







docker_container_mounts
SELECT *
 600 2.4.4

FROM docker_container_mounts;







docker_container_networks
SELECT *
 600 2.4.4

FROM docker_container_networks;







docker_container_ports
SELECT *
 600 2.4.4

FROM docker_container_ports;







docker_container_processes
SELECT id,
 30 4.2.0.34

  pid,



  name,



  cmdline,



  uid,



  gid,



  euid,



  egid,



  suid,



  sgid,



  start_time,



  parent,



  pgroup,



  nice



FROM docker_container_processes;







docker_containers
SELECT id,
 30 2.4.4

  name,



  image,



  image_id,



  command,



  created,



  state



FROM docker_containers;







docker_containers
SELECT id,
 30 3.2.4

  name,



  image,



  image_id,



  command,



  created,



  state,



  status,



  pid,



  path,



  config_entrypoint,



  started_at,



  finished_at,



  ipc_namespace,



  mnt_namespace,



  net_namespace,



  pid_namespace,



  user_namespace,



  uts_namespace



FROM docker_containers;







docker_image_history
SELECT *
 3600 4.2.0.6

FROM docker_image_history;







docker_image_labels
SELECT *
 3600 2.4.4

FROM docker_image_labels;







docker_image_layers
SELECT *
 3600 4.2.0.1

FROM docker_image_layers;







docker_images
SELECT *
 3600 2.4.4

FROM docker_images;







docker_info
SELECT *
 21600 2.4.4

FROM docker_info;







docker_network_labels
SELECT *
 3600 2.4.4

FROM docker_network_labels;







docker_networks
SELECT *
 3600 2.4.4

FROM docker_networks;







docker_version
SELECT *
 21600 2.4.4

FROM docker_version;







docker_volume_labels
SELECT *
 3600 2.4.4

FROM docker_volume_labels;







docker_volumes
SELECT *
 3600 2.4.4

FROM docker_volumes;







ebpf_kernel_support
SELECT *
 3600 4.4.0.5

FROM ebpf_kernel_support;







ec2_instance_metadata
SELECT *
 7200 2.7.0

FROM ec2_instance_metadata;







efivars
SELECT *
 21600 4.4.0.5

FROM efivars;







etc_hosts
SELECT *
 19800 1.0.2

FROM etc_hosts;







etc_protocols
SELECT *
 19800 1.4.5

FROM etc_protocols;







etc_services
SELECT *
 19800 1.2.2

FROM etc_services;







firefox_addons
SELECT *
 7200 1.4.3

FROM firefox_addons



WHERE firefox_addons.uid IN (



    SELECT uid



    FROM users



  );







groups
SELECT *
 3600 1.0.2

FROM groups;







interface_addresses
SELECT *
 3600 1.0.2

FROM interface_addresses;







interface_details
SELECT *
 600 1.0.2

FROM interface_details;







interface_details d, interface_addresses a, routes c
WITH main_interfaces AS (
 7200 1.0.2

  SELECT d.interface,



    d.mac,



    a.address,



    a.mask,



    'true' AS ismain



  FROM interface_details d,



    interface_addresses a



  WHERE d.interface = a.interface



    AND a.interface = (



      SELECT interface



      FROM routes



      WHERE TYPE = 'gateway'



        AND (



          (



            destination = '0.0.0.0'



            AND netmask = '0'



          )



          OR (



            destination = '::'



            AND netmask = '0'



          )



        )



      LIMIT 1



    )



), all_interfaces AS (



  SELECT d.interface,



    d.mac,



    a.address,



    a.mask,



    'false' AS ismain



  FROM interface_details d,



    interface_addresses a



  WHERE d.interface = a.interface



    AND d.interface != 'lo'



    AND (



      a.broadcast != ''



      OR a.point_to_point != ''



    )



)



SELECT a.interface AS interface,



  a.mac AS mac,



  a.address AS address,



  a.mask AS mask,



  b.ismain AS is_primary



FROM all_interfaces a



  LEFT JOIN main_interfaces b ON a.address = b.address



  AND a.mac = b.mac



  AND a.interface = b.interface



  AND a.mask = b.mask;







interface_ipv6
SELECT *
 21600 3.3.2.2

FROM interface_ipv6;







iptables
SELECT *
 19800 1.4.6

FROM iptables;







kernel_info
SELECT *
 3600 1.4.0

FROM kernel_info;







kernel_integrity
SELECT *
 1800 1.3.0

FROM kernel_integrity;







kernel_modules
SELECT *
 1200 1.0.2

FROM kernel_modules;







known_hosts
SELECT *
 3600 1.6.1

FROM known_hosts



WHERE known_hosts.uid IN (



    SELECT uid



    FROM users



  );







last
SELECT *
 3600 1.0.2

FROM last;







listening_ports
SELECT *
 19800 1.0.2

FROM listening_ports;







load_average
SELECT *
 60 2.5.0

FROM load_average;







logged_in_users
SELECT *
 60 1.2.0

FROM logged_in_users;







lxd_certificates
SELECT *
 3600 4.2.0.6

FROM lxd_certificates;







lxd_cluster
SELECT *
 600 4.2.0.6

FROM lxd_cluster;







lxd_cluster_members
SELECT *
 600 4.2.0.6

FROM lxd_cluster_members;







lxd_images
SELECT *
 3600 4.2.0.6

FROM lxd_images;







lxd_instances
SELECT *
 30 4.2.0.6

FROM lxd_instances;







lxd_networks
SELECT *
 3600 4.2.0.6

FROM lxd_networks;







lxd_storage_pools
SELECT *
 3600 4.2.0.6

FROM lxd_storage_pools;







md_devices
SELECT *
 21600 2.6.0

FROM md_devices;







md_drives
SELECT *
 21600 2.6.0

FROM md_drives;







md_personalities
SELECT *
 21600 2.6.0

FROM md_personalities;







memory_array_mapped_addresses
SELECT *
 19800 3.2.6

FROM memory_array_mapped_addresses;







memory_arrays
SELECT *
 19800 3.2.6

FROM memory_arrays;







memory_device_mapped_addresses
SELECT *
 19800 3.2.6

FROM memory_device_mapped_addresses;







memory_devices
SELECT *
 21600 3.2.6

FROM memory_devices;







memory_error_info
SELECT *
 19800 3.2.6

FROM memory_error_info;







memory_info
SELECT *
 300 1.8.2

FROM memory_info;







memory_map
SELECT *
 3600 1.4.0

FROM memory_map;







mounts
SELECT *
 600 1.0.4

FROM mounts;







msr
SELECT *
 3600 1.4.6

FROM msr;







npm_packages
SELECT *
 21600 3.2.6

FROM npm_packages;







oem_strings
SELECT *
 21600 3.3.2.2

FROM oem_strings;







opera_extensions
SELECT *
 7200 1.4.5

FROM opera_extensions



WHERE opera_extensions.uid IN (



    SELECT uid



    FROM users



  );







os_version
SELECT *
 21600 1.4.3

FROM os_version;







os_version
SELECT *
 7200 4.2.0.6

FROM os_version



WHERE system_type IN ('host', 'docker_container', 'crio_container', '');







osquery_config
SELECT *
 3600 3.3.2.30

FROM osquery_config;







osquery_events
SELECT *
 600 1.5.3

FROM osquery_events;







osquery_extensions
SELECT *
 3600 1.4.1

FROM osquery_extensions;







osquery_flags
SELECT *
 3600 1.2.2

FROM osquery_flags;







osquery_info
SELECT *
 3600 1.2.2

FROM osquery_info;







osquery_packs
SELECT *
 3600 1.4.6

FROM osquery_packs;







osquery_registry
SELECT *
 3600 1.4.3

FROM osquery_registry;







osquery_schedule
SELECT *
 19800 1.4.5

FROM osquery_schedule;







osquery_upt_stats
SELECT *
 600 3.3.2.28

FROM osquery_upt_stats;







pci_devices
SELECT *
 3600 1.0.4

FROM pci_devices;







platform_info
SELECT *
 7200 1.6.2

FROM platform_info;







process_envs
SELECT *
 300 1.0.4

FROM process_envs;







process_namespaces
SELECT *
 21600 3.3.2.2

FROM process_namespaces;







process_open_files
SELECT *
 300 1.0.4

FROM process_open_files;







process_open_pipes
SELECT *
 600 4.2.0.1

FROM process_open_pipes;







process_open_sockets
SELECT *
 30 1.3.0

FROM process_open_sockets



WHERE NOT (



    protocol IN (6, 17)



    AND remote_address != '::'



    AND remote_address != '0.0.0.0'



    AND remote_address NOT LIKE '10.%'



    AND remote_address NOT LIKE '192.168.%'



    AND CASE



      WHEN remote_address LIKE '172.__.%'



      AND SUBSTR(remote_address, 5, 2) BETWEEN '16' AND '31' THEN 0



      ELSE 1



    END



  );







process_open_sockets
SELECT *
 30 1.3.0

FROM process_open_sockets



WHERE protocol IN (6, 17)



  AND remote_address != '::'



  AND remote_address != '0.0.0.0'



  AND remote_address NOT LIKE '::ffff:%'



  AND remote_address NOT LIKE '127.%'



  AND remote_address NOT LIKE '10.%'



  AND remote_address NOT LIKE '192.168.%'



  AND CASE



    WHEN remote_address LIKE '172.__.%'



    AND SUBSTR(remote_address, 5, 2) BETWEEN '16' AND '31' THEN 0



    ELSE 1



  END;







processes
SELECT pid,
 300 1.0.2

  cmdline,



  user_time,



  system_time,



  start_time



FROM processes;







processes
SELECT pid,
 30 1.0.2

  name,



  path,



  cmdline,



  cwd,



  root,



  uid,



  gid,



  euid,



  egid,



  suid,



  sgid,



  on_disk,



  parent,



  pgroup,



  nice



FROM processes;







processes
SELECT pid,
 30 3.2.6

  name,



  path,



  cmdline,



  cwd,



  root,



  uid,



  gid,



  euid,



  egid,



  suid,



  sgid,



  on_disk,



  parent,



  pgroup,



  nice,



  is_elevated_token,



  cgroup_namespace,



  ipc_namespace,



  mnt_namespace,



  net_namespace,



  pid_namespace,



  user_namespace,



  uts_namespace



FROM processes;







processes
SELECT pid,
 30 3.3.2

  name,



  path,



  cmdline,



  cwd,



  root,



  uid,



  gid,



  euid,



  egid,



  suid,



  sgid,



  on_disk,



  parent,



  pgroup,



  nice,



  is_elevated_token



FROM processes;







processes
SELECT pid,
 30 3.3.2.63

  name,



  path,



  cmdline,



  cwd,



  root,



  uid,



  gid,



  euid,



  egid,



  suid,



  sgid,



  on_disk,



  parent,



  pgroup,



  nice,



  is_elevated_token,



  upid,



  uppid,



  cpu_type,



  cpu_subtype,



  is_container_process,



  pid_ns



FROM processes;







processes a, hash h
SELECT a.pid,
 300 1.2.0

  a.name,



  a.path,



  a.cmdline,



  a.state,



  a.cwd,



  a.root,



  a.uid,



  a.gid,



  a.euid,



  a.egid,



  a.suid,



  a.sgid,



  a.on_disk,



  a.wired_size,



  a.start_time,



  a.parent,



  a.pgroup,



  a.nice,



  h.directory,



  h.md5,



  h.sha1,



  h.sha256



FROM processes a,



  hash h



WHERE a.path = h.path;







python_packages
SELECT *
 19800 2.4.0

FROM python_packages;







routes
SELECT *
 3600 1.0.2

FROM routes;







rpm_packages
SELECT *
 19800 1.0.2

FROM rpm_packages;







rpm_packages
SELECT *
 7200 4.2.0.6

FROM rpm_packages



WHERE system_type IN ('host', 'docker_container', 'crio_container')







selinux_settings
SELECT *
 19800 4.2.0.1

FROM selinux_settings;







shadow
SELECT *
 300 2.11.0

FROM shadow;







shared_memory
SELECT *
 3600 1.4.0

FROM shared_memory;







shell_history
SELECT *
 3600 1.2.0

FROM shell_history



WHERE shell_history.uid IN (



    SELECT uid



    FROM users



  );







slack_user_info
SELECT *
 3600 3.3.2.30

FROM slack_user_info;







smbios_tables
SELECT *
 3600 1.3.0

FROM smbios_tables;







ssh_configs
SELECT *
 21600 3.3.2.2

FROM ssh_configs;







sudoers
SELECT *
 3600 2.2.0

FROM sudoers;







suid_bin
SELECT *
 3600 1.0.4

FROM suid_bin;







system_controls
SELECT *
 19800 1.4.3

FROM system_controls;







system_info
SELECT *
 21600 1.5.3

FROM system_info;







ulimit_info
SELECT *
 21600 3.3.2.2

FROM ulimit_info;







upt_op_metrics
SELECT c.total AS cpu_total,
 15 1.0.4

  c.idle AS cpu_idle,



  m.memory_total AS memory_total,



  m.memory_free AS memory_free,



  m.swap_total AS swap_total,



  m.swap_free AS swap_free,



  d.total AS disk_total,



  d.free AS disk_free,



  n.in_bytes AS in_bytes,



  n.out_bytes AS out_bytes



FROM (



    SELECT SUM(



        user + nice + system + idle + iowait + irq + softirq + steal



      ) AS total,



      SUM(idle) AS idle



    FROM cpu_time



  ) c,



  (



    SELECT memory_total,



      memory_free,



      swap_total,



      swap_free



    FROM memory_info



  ) m,



  (



    SELECT SUM(blocks) AS total,



      SUM(blocks_available) AS free



    FROM (



        SELECT DISTINCT device,



          blocks,



          blocks_available



        FROM mounts



        WHERE blocks > 0



          AND TYPE NOT LIKE '%tmpfs'



      )



  ) d,



  (



    SELECT SUM(ibytes) AS in_bytes,



      SUM(obytes) AS out_bytes



    FROM interface_details



    WHERE interface != 'lo'



  ) n;







uptime
SELECT *
 3600 1.5.0

FROM uptime;







usb_devices
SELECT *
 3600 1.2.0

FROM usb_devices;







user_groups
SELECT *
 3600 1.4.6

FROM user_groups;







user_ssh_keys
SELECT *
 3600 1.8.1

FROM user_ssh_keys;







users
SELECT *
 300 1.0.2

FROM users;







yum_sources
SELECT *
 21600 3.2.4

FROM yum_sources;