osquery_packs

[STD-DEV]16:48:00 root@si-i-02caa65087583c219 /home/zmackie # cat /usr/share/osquery/packs/testing.conf
{
  "testing": {
    "shard": 10, <<<--
    "queries": {
      "osquery_info": {
        "query": "SELECT * FROM osquery_info;",
        "interval": 86400,
        "description": "Information about the running osquery configuration",
        "snapshot": true
      },
      // This is a simple example query that outputs basic system information.
      "system_info": {
        // The exact query to run.
        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
        // The interval in seconds to run this query, not an exact interval.
        "interval": 3600
      },
      "crontab": {
        "query" : "select * from crontab;",
        "interval" : "3600",
        "platform": "posix",
        "version" : "1.4.5",
        "description" : "Retrieves all the jobs scheduled in crontab in the target system.",
        "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
      }
    }
  }
}
[STD-DEV]16:48:23 root@si-i-02caa65087583c219 /home/zmackie # echo "select * from osquery_packs;" | osqueryi
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| name               | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| main               |          |         | 0     | 1                    | 1                    | 1      |
| base               | posix    |         | 0     | 1                    | 1                    | 1      |
| testing            |          |         | 0 <<< | 1                    | 1                    | 1      |
| osquery-monitoring |          |         | 0     | 1                    | 1                    | 1      |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+

--verbose

^[[A[STD-DEV]17:38:24 root@si-i-02caa65087583c219 /home/zmackie # echo "select * from osquery_packs;" | osqueryi --verbose
I0910 17:38:27.343184 14644 init.cpp:357] osquery initialized [version=4.9.0]
I0910 17:38:27.343250 14644 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0910 17:38:27.343308 14644 init.cpp:568] An error occurred during extension manager startup: Extensions disabled
I0910 17:38:27.343335 14644 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0910 17:38:27.343868 14644 packs.cpp:177] No queries defined for pack testing
I0910 17:38:27.345997 14644 virtual_table.cpp:1081] Table curl is disabled, not attaching
I0910 17:38:27.358563 14644 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node
I0910 17:38:27.358790 14644 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0910 17:38:27.358808 14644 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0910 17:38:27.358827 14644 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0910 17:38:27.358891 14644 events.cpp:36] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0910 17:38:27.358942 14644 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0910 17:38:27.358955 14644 events.cpp:36] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0910 17:38:27.358966 14644 events.cpp:36] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0910 17:38:27.358978 14644 events.cpp:36] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0910 17:38:27.359735 14644 file_events.cpp:87] Added file event listener to: /etc/logrotate.d/**
I0910 17:38:27.359752 14644 file_events.cpp:87] Added file event listener to: /etc/systemd/**
I0910 17:38:27.359760 14644 file_events.cpp:87] Added file event listener to: /etc/rc*/**
I0910 17:38:27.359768 14644 file_events.cpp:87] Added file event listener to: /etc/passwd
I0910 17:38:27.359776 14644 file_events.cpp:87] Added file event listener to: /etc/ssh/sshd_config
I0910 17:38:27.359784 14644 file_events.cpp:87] Added file event listener to: /etc/ssh/ssh_config
I0910 17:38:27.359795 14644 file_events.cpp:87] Added file event listener to: /etc/pam*
I0910 17:38:27.359805 14644 file_events.cpp:87] Added file event listener to: /etc/pam.d/**
I0910 17:38:27.369658 14722 eventfactory.cpp:390] Starting event publisher run loop: inotify
I0910 17:38:27.369678 14723 eventfactory.cpp:390] Starting event publisher run loop: udev
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| name               | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| main               |          |         | 0     | 1                    | 1                    | 1      |
| base               | posix    |         | 0     | 1                    | 1                    | 1      |
| testing            |          |         | 0     | 1                    | 1                    | 1      |
| osquery-monitoring |          |         | 0     | 1                    | 1                    | 1      |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
I0910 17:38:27.369870 14644 dispatcher.cpp:149] Thread: 140224691451584 requesting a stop
I0910 17:38:27.369884 14644 dispatcher.cpp:122] Thread: 140224691451584 requesting a join
I0910 17:38:27.369895 14644 dispatcher.cpp:144] Services and threads have been cleared

No queries defined for pack testing