HEX
Server: Apache
System: Linux sg241.singhost.net 2.6.32-896.16.1.lve1.4.51.el6.x86_64 #1 SMP Wed Jan 17 13:19:23 EST 2018 x86_64
User: honghock (909)
PHP: 8.0.30
Disabled: passthru,system,shell_exec,show_source,exec,popen,proc_open
$ pwd: /opt/osquery/share/osquery/packs/
Upload Files
File: //opt/osquery/share/osquery/packs/hardware-monitoring.conf
{
  "queries": {
    "acpi_tables": {
      "query": "select * from acpi_tables;",
      "interval": 86400,
      "platform": "posix",
      "version": "1.3.0",
      "description": "General reporting and heuristics monitoring."
    },
    "cpuid": {
      "query": "select feature, value, output_register, output_bit, input_eax from cpuid;",
      "interval": 86400,
      "version": "1.0.4",
      "description": "General reporting and heuristics monitoring."
    },
    "smbios_tables": {
      "query": "select * from smbios_tables;",
      "interval": 86400,
      "platform": "posix",
      "version": "1.3.0",
      "description": "General reporting and heuristics monitoring."
    },
    "nvram": {
      "query": "select * from nvram where name not in ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.0.2",
      "description": "Report on crashes, alternate boots, and boot arguments."
    },
    "kernel_info": {
      "query": "select * from kernel_info join hash using (path);",
      "interval": 7200,
      "version": "1.4.0",
      "description": "Report the booted kernel, potential arguments, and the device."
    },
    "pci_devices": {
      "query": "select * from pci_devices;",
      "interval": 7200,
      "platform": "posix",
      "version": "1.0.4",
      "description": "Report an inventory of PCI devices. Attaches and detaches will show up in hardware_events."
    },
    "fan_speeds": {
      "query": "select * from fan_speed_sensors;",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.7.1",
      "description": "Report current fan speeds in the target OSX system."
    },
    "temperatures": {
      "query": "select * from temperature_sensors;",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.7.1",
      "description": "Report current machine temperatures in the target OSX system."
    },
    "usb_devices": {
      "query": "select * from usb_devices;",
      "interval": 7200,
      "platform": "posix",
      "version": "1.2.0",
      "description": "Report an inventory of USB devices. Attaches and detaches will show up in hardware_events."
    },
    "hardware_events": {
      "query" : "select * from hardware_events where path <> '' or model <> '';",
      "interval" : 7200,
      "platform": "posix",
      "removed": false,
      "version" : "1.4.5",
      "description" : "Retrieves all the hardware related events in the target OSX system.",
      "value" : "Determine if a third party device was attached to the system."
    },
    "darwin_kernel_system_controls": {
      "query": "select * from system_controls where subsystem = 'kern' and (name like '%boot%' or name like '%secure%' or name like '%single%');",
      "interval": 7200,
      "platform": "darwin",
      "version": "1.4.3",
      "description": "Double check the information reported in kernel_info and report the kernel signature."
    },
    "iokit_devicetree": {
      "query": "select * from iokit_devicetree;",
      "interval": 86400,
      "platform": "darwin",
      "version": "1.3.0",
      "description": "General inventory of IOKit's devices on OS X."
    },
    "efi_file_hashes": {
      "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, md5, sha1, sha256 from (select * from file where path like '/System/Library/CoreServices/%.efi' union select * from file where path like '/System/Library/LaunchDaemons/com.apple%efi%') file join hash using (path);",
      "interval": 7200,
      "removed": false,
      "version": "1.6.1",
      "platform": "darwin",
      "description": "Hash files related to EFI platform updates and EFI bootloaders on primary boot partition. This does not hash bootloaders on the EFI/boot partition."
    },
    "kernel_extensions": {
      "query" : "select * from kernel_extensions;",
      "interval" : "7200",
      "platform" : "darwin",
      "version" : "1.4.5",
      "description" : "Retrieves all the information about the current kernel extensions for the target OSX system."
    },
    "kernel_modules": {
      "query" : "select * from kernel_modules;",
      "interval" : "7200",
      "platform" : "linux",
      "version" : "1.4.5",
      "description" : "Retrieves all the information for the current kernel modules in the target Linux system."
    },
    "windows_drivers": {
      "query" : "select * from drivers;",
      "interval" : "7200",
      "platform" : "windows",
      "version" : "2.2.0",
      "description" : "Retrieves all the information for the current windows drivers in the target Windows system."
    },
    "device_nodes": {
      "query": "select file.path, uid, gid, mode, 0 as atime, mtime, ctime, block_size, type from file where directory = '/dev/';",
      "interval": "7200",
      "platform": "posix",
      "version": "1.6.0",
      "description": "Inventory all 'device' nodes in /dev/."
    }
  }
}
@ Telegram