+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#pragma once
-
-#include <map>
-#include <utility>
-
-#include <boost/noncopyable.hpp>
-
-#define GFLAGS_DLL_DEFINE_FLAG
-#define GFLAGS_DLL_DECLARE_FLAG
-#define STRIP_FLAG_HELP 1
-#include <gflags/gflags.h>
-
-#include <osquery/core.h>
-#include <osquery/utils/status/status.h>
-
-#ifdef FREEBSD
-#define GFLAGS_NAMESPACE gflags
-#elif !defined(GFLAGS_NAMESPACE)
-#define GFLAGS_NAMESPACE google
-#endif
-
-namespace osquery {
-
-struct FlagDetail {
- std::string description;
- bool shell;
- bool external;
- bool cli;
- bool hidden;
-};
-
-struct FlagInfo {
- std::string type;
- std::string description;
- std::string default_value;
- std::string value;
- FlagDetail detail;
-};
-
-/**
- * @brief A small tracking wrapper for options, binary flags.
- *
- * The osquery-specific gflags-like options define macro `FLAG` uses a Flag
- * instance to track the options data.
- */
-class Flag : private boost::noncopyable {
- public:
- /*
- * @brief Create a new flag.
- *
- * @param name The 'name' or the options switch data.
- * @param flag Flag information filled in using the helper macro.
- *
- * @return A mostly needless flag instance.
- */
- static int create(const std::string& name, const FlagDetail& flag);
-
- /// Create a Gflags alias to name, using the Flag::getValue accessor.
- static int createAlias(const std::string& alias, const FlagDetail& flag);
-
- /// Singleton accessor.
- static Flag& instance();
-
- private:
- /// Keep the ctor private, for accessing through `add` wrapper.
- Flag() = default;
- virtual ~Flag() = default;
-
- public:
- /// The public flags instance, usable when parsing `--help`.
- static std::map<std::string, FlagInfo> flags();
-
- /*
- * @brief Access value for a flag name.
- *
- * @param name the flag name.
- * @param value output parameter filled with the flag value on success.
- * @return status of the flag did exist.
- */
- static Status getDefaultValue(const std::string& name, std::string& value);
-
- /*
- * @brief Check if flag value has been overridden.
- *
- * @param name the flag name.
- * @return is the flag set to its default value.
- */
- static bool isDefault(const std::string& name);
-
- /*
- * @brief Update the flag value by string name,
- *
- * @param name the flag name.
- * @parma value the new value.
- * @return if the value was updated.
- */
- static Status updateValue(const std::string& name, const std::string& value);
-
- /*
- * @brief Get the value of an osquery flag.
- *
- * @param name the flag name.
- */
- static std::string getValue(const std::string& name);
-
- /// Get the flag value as a long int.
- static long int getInt32Value(const std::string& name);
-
- /*
- * @brief Get the type as a string of an osquery flag.
- *
- * @param name the flag name.
- */
- static std::string getType(const std::string& name);
-
- /*
- * @brief Get the description as a string of an osquery flag.
- *
- * @param name the flag name.
- */
- static std::string getDescription(const std::string& name);
-
- /*
- * @brief Print help-style output to stdout for a given flag set.
- *
- * @param shell Only print shell flags.
- * @param external Only print external flags (from extensions).
- */
- static void printFlags(bool shell = false,
- bool external = false,
- bool cli = false);
-
- private:
- /// The container of all shell, CLI, and normal flags.
- std::map<std::string, FlagDetail> flags_;
-
- /// A container for hidden or aliased (legacy, compatibility) flags.
- std::map<std::string, FlagDetail> aliases_;
-
- /// Configurations may set "custom_" flags.
- std::map<std::string, std::string> custom_;
-};
-} // namespace osquery
-
-/*
- * @brief Replace gflags' `DEFINE_type` macros to track osquery flags.
- *
- * Do not use this macro within the codebase directly! Use the subsequent macros
- * that abstract the tail of boolean arguments into meaningful statements.
- *
- * @param type(t) The `_type` symbol portion of the gflags define.
- * @param name(n) The name symbol passed to gflags' `DEFINE_type`.
- * @param value(v) The default value, use a C++ literal.
- * @param desc(d) A string literal used for help display.
- * @param shell(s) Boolean, true if this is only supported in osqueryi.
- * @param extension(e) Boolean, true if this is only supported in an extension.
- * @param cli(c) Boolean, true if this can only be set on the CLI (or flagfile).
- * This helps documentation since flags can also be set within configuration
- * as "options".
- * @param hidden(h) Boolean, true if this is hidden from help displays.
- */
-#define OSQUERY_FLAG(t, n, v, d, s, e, c, h) \
- DEFINE_##t(n, v, d); \
- namespace flags { \
- const int flag_##n = Flag::create(#n, {d, s, e, c, h}); \
- }
-
-/*
- * @brief Create a command line flag and configuration option.
- *
- * This is an abstraction around Google GFlags that allows osquery to organize
- * the various types of "flags" used to turn features on and off and configure.
- *
- * A FLAG can be set within a `flagfile`, as a command line switch, or via
- * a configuration's "options" key.
- *
- * @param t the type of flag, use the C++ symbol or literal type exactly.
- * @param n the flag name as a symbol, write flagname instead of "flagname".
- * @param v the default value.
- * @param d the help description, please be concise.
- */
-#define FLAG(t, n, v, d) OSQUERY_FLAG(t, n, v, d, 0, 0, 0, 0)
-
-/// See FLAG, but SHELL_FLAG%s are only available in osqueryi.
-#define SHELL_FLAG(t, n, v, d) OSQUERY_FLAG(t, n, v, d, 1, 0, 0, 0)
-
-/// See FLAG, but EXTENSION_FLAG%s are only available to extensions.
-#define EXTENSION_FLAG(t, n, v, d) OSQUERY_FLAG(t, n, v, d, 0, 1, 0, 0)
-
-/// See FLAG, but CLI_FLAG%s cannot be set within configuration "options".
-#define CLI_FLAG(t, n, v, d) OSQUERY_FLAG(t, n, v, d, 0, 0, 1, 0)
-
-/// See FLAG, but HIDDEN_FLAGS%s are not shown in --help.
-#define HIDDEN_FLAG(t, n, v, d) OSQUERY_FLAG(t, n, v, d, 0, 0, 0, 1)
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#pragma once
-
-#include <chrono>
-#include <string>
-
-#include "osquery/utils/conversions/tryto.h"
-#include <osquery/utils/expected/expected.h>
-
-namespace osquery {
-
-namespace monitoring {
-
-struct RecordKeys {
- std::string path;
- std::string value;
- std::string timestamp;
- std::string pre_aggregation;
- std::string sync;
-};
-
-struct HostIdentifierKeys {
- std::string name;
- std::string scheme;
-};
-
-const HostIdentifierKeys& hostIdentifierKeys();
-
-const RecordKeys& recordKeys();
-
-const char* registryName();
-
-/**
- * Types for clock and time point in monitoring plugin
- */
-using Clock = std::chrono::system_clock;
-using TimePoint = Clock::time_point;
-
-using ValueType = long long int;
-
-enum class PreAggregationType {
- None,
- Sum,
- Min,
- Max,
- Avg,
- Stddev,
- P10, // Estimates 10th percentile
- P50, // Estimates 50th percentile
- P95, // Estimates 95th percentile
- P99, // Estimates 99th percentile
- // not existing PreAggregationType, upper limit definition
- InvalidTypeUpperLimit,
-};
-
-/**
- * @brief Record new point to numeric monitoring system.
- *
- * @param path A unique key in monitoring system. If you need to add some common
- * prefix for all osquery points do it in the plugin code.
- * @param value A numeric value of new point.
- * @param pre_aggregation An preliminary aggregation type for this particular
- * path @see PreAggregationType. It allows some numeric monitoring plugins
- * pre-aggregate points before send it.
- * @param sync when true pushes record without any buffering. This value is also
- * propagated to the plugin, so call to the plugin only returns once record is
- * sent.
- * @param time_point A time of new point, in vast majority of cases it is just
- * a now time (default time).
- *
- * Common way to use it:
- * @code{.cpp}
- * monitoring::record("watched.parameter.path",
- * 10.42,
- * monitoring::PreAggregationType::Sum);
- * @endcode
- */
-void record(const std::string& path,
- ValueType value,
- PreAggregationType pre_aggregation = PreAggregationType::None,
- const bool sync = false,
- TimePoint time_point = Clock::now());
-
-/**
- * Force flush the pre-aggregation buffer.
- * Please use it, only when it's totally necessary.
- */
-void flush();
-
-}; // namespace monitoring
-
-/**
- * Generic to convert PreAggregationType to string
- */
-template <typename ToType>
-typename std::enable_if<std::is_same<std::string, ToType>::value, ToType>::type
-to(const monitoring::PreAggregationType& from);
-
-/**
- * Generic to parse PreAggregationType from string
- */
-template <typename ToType>
-typename std::enable_if<
- std::is_same<monitoring::PreAggregationType, ToType>::value,
- Expected<ToType, ConversionError>>::type
-tryTo(const std::string& from);
-
-} // namespace osquery
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#pragma once
-
-#include <atomic>
-#include <map>
-#include <string>
-#include <vector>
-
-#include <gtest/gtest_prod.h>
-
-#include <boost/noncopyable.hpp>
-
-#include <osquery/query.h>
-
-#include <gtest/gtest_prod.h>
-
-namespace osquery {
-
-/// Statistics about Pack discovery query actions.
-struct PackStats {
- size_t total{0};
- size_t hits{0};
- size_t misses{0};
-};
-
-/**
- * @brief The programmatic representation of a query pack
- */
-class Pack : private boost::noncopyable {
- public:
- Pack(const std::string& name, const rapidjson::Value& obj)
- : Pack(name, "", obj) {}
-
- Pack(const std::string& name,
- const std::string& source,
- const rapidjson::Value& obj) {
- initialize(name, source, obj);
- }
-
- void initialize(const std::string& name,
- const std::string& source,
- const rapidjson::Value& obj);
- /**
- * @brief Getter for the pack's discovery query
- *
- * If the pack doesn't have a discovery query, false will be returned. If
- * the pack does have a discovery query, true will be returned and `query`
- * will be populated with the pack's discovery query
- *
- * @return A bool indicating whether or not the pack has a discovery query
- */
- const std::vector<std::string>& getDiscoveryQueries() const;
-
- /// Utility for identifying whether or not the pack should be scheduled
- bool shouldPackExecute();
-
- /// Returns the name of the pack
- const std::string& getName() const;
-
- /// Returns the name of the source from which the pack originated
- const std::string& getSource() const;
-
- /// Returns the platform that the pack is configured to run on
- const std::string& getPlatform() const;
-
- /// Returns the minimum version that the pack is configured to run on
- const std::string& getVersion() const;
-
- size_t getShard() const {
- return shard_;
- }
-
- /// Returns the schedule dictated by the pack
- const std::map<std::string, ScheduledQuery>& getSchedule() const;
-
- /// Returns the schedule dictated by the pack
- std::map<std::string, ScheduledQuery>& getSchedule();
-
- /// Verify that the platform is compatible
- bool checkPlatform() const;
-
- /// Verify that a given platform string is compatible
- bool checkPlatform(const std::string& platform) const;
-
- /// Verify that the version of osquery is compatible
- bool checkVersion() const;
-
- /// Verify that a given version string is compatible
- bool checkVersion(const std::string& version) const;
-
- /// Verify that a given discovery query returns the appropriate results
- bool checkDiscovery();
-
- /**
- * @brief Returns whether this pack is executing
- *
- * This can be used to determine whether the pack is active, without the
- * potential side effect of running the associated discovery queries.
- */
- bool isActive() const;
-
- const PackStats& getStats() const;
-
- protected:
- /// List of query strings.
- std::vector<std::string> discovery_queries_;
-
- /// Map of query names to the scheduled query details.
- std::map<std::string, ScheduledQuery> schedule_;
-
- /// Platform requirement for pack.
- std::string platform_;
-
- /// Minimum version requirement for pack.
- std::string version_;
-
- /// Optional shard requirement for pack.
- size_t shard_{0};
-
- /// Pack canonicalized name.
- std::string name_;
-
- /// Name of config source that created/added this pack.
- std::string source_;
-
- /// Cached time and result from previous discovery step.
- std::pair<size_t, bool> discovery_cache_;
-
- /// Aggregate appropriateness of pack for this host.
- std::atomic<bool> valid_{false};
-
- /// Whether this pack is active (valid_ && checkDiscovery())
- std::atomic<bool> active_{false};
-
- /// Pack discovery statistics.
- PackStats stats_;
-
- private:
- /**
- * @brief Private default constructor
- *
- * Initialization must include pack content
- */
- Pack() {}
-
- private:
- FRIEND_TEST(PacksTests, test_check_platform);
-};
-
-/**
- * @brief Generate a splayed interval.
- *
- * The osquery schedule and packs take an approximate interval for each query.
- * The config option "schedule_splay_percent" is used to adjust the interval,
- * the result "splayed_interval" could be adjusted to be sooner or later.
- *
- * @param original the original positive interval in seconds.
- * @param splay_percent a positive percent (1-100) to splay.
- * @return the result splayed value.
- */
-size_t splayValue(size_t original, size_t splay_percent);
-
-/**
- * @brief Retrieve a previously-calculated splay for a name/interval pair.
- *
- * To provide consistency and determinism to schedule executions, splays can
- * be cached in the database. If a query name (or pack-generated name) and its
- * interval remain the same then a cached splay can be used.
- *
- * If a "cache miss" occurs, a new splay for the name and interval pair is
- * generated and saved.
- *
- * @param name the generated query name.
- * @param interval the requested pre-splayed interval.
- * @return either the restored previous calculated splay, or a new splay.
- */
-size_t restoreSplayedValue(const std::string& name, size_t interval);
-}
+++ /dev/null
-# Copyright (c) 2014-present, Facebook, Inc.
-# All rights reserved.
-#
-# This source code is licensed as defined on the LICENSE file found in the
-# root directory of this source tree.
-
-load("//tools/build_defs/oss/osquery:native.bzl", "osquery_filegroup")
-load("//tools/build_defs/oss/osquery:python.bzl", "osquery_python_library")
-
-osquery_python_library(
- name = "tools_test_utils",
- srcs = [
- "utils.py",
- ],
- base_module = "osquery.tools.tests",
- visibility = ["PUBLIC"],
-)
-
-osquery_filegroup(
- name = "conf_files",
- srcs = glob([
- "*.conf",
- ]),
- visibility = ["PUBLIC"],
-)
-
-osquery_filegroup(
- name = "config_files",
- srcs = glob([
- "*.config",
- ]),
- visibility = ["PUBLIC"],
-)
-
-osquery_filegroup(
- name = "plist_files",
- srcs = glob([
- "*.plist",
- ]),
- visibility = ["PUBLIC"],
-)
-
-osquery_filegroup(
- name = "test_files",
- srcs = glob([
- "*",
- ]),
- visibility = ["PUBLIC"],
-)
-
-osquery_filegroup(
- name = "aws_files",
- srcs = glob([
- "aws/*",
- ]),
- visibility = ["PUBLIC"],
-)
+++ /dev/null
-# Copyright (c) 2014-present, Facebook, Inc.
-# All rights reserved.
-#
-# This source code is licensed in accordance with the terms specified in
-# the LICENSE file found in the root directory of this source tree.
-
-function(osqueryToolsTestsMain)
- generateCopyFileTarget("osquery_tools_tests_conffiles" "REGEX" "*.conf" "${TEST_CONFIGS_DIR}")
- generateCopyFileTarget("osquery_tools_tests_configfiles" "REGEX" "*.config" "${TEST_CONFIGS_DIR}")
- generateCopyFileTarget("osquery_tools_tests_plistfiles" "REGEX" "*.plist" "${TEST_CONFIGS_DIR}")
- generateCopyFileTarget("osquery_tools_tests_testfiles" "REGEX" "*" "${TEST_CONFIGS_DIR}")
- generateCopyFileTarget("osquery_tools_tests_awsfiles" "REGEX" "aws/*" "${TEST_CONFIGS_DIR}")
-endfunction()
-
-osqueryToolsTestsMain()
+++ /dev/null
-[default]
-output = json
-region = us-west-2
-
-[profile test]
-output = json
-region = eu-central-1
+++ /dev/null
-[default]
-aws_access_key_id = DEFAULT_ACCESS_KEY_ID
-aws_secret_access_key = default_secret_key
-
-[test]
-aws_access_key_id = TEST_ACCESS_KEY_ID
-aws_secret_access_key = test_secret_key
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#include <gtest/gtest.h>
-
-#include <osquery/core.h>
-#include <osquery/filesystem.h>
-#include <osquery/flags.h>
-#include <osquery/logger.h>
-
-#include "osquery/tests/test_util.h"
-
-namespace pt = boost::property_tree;
-
-namespace osquery {
-
-// run this benchmark with --iterations=9001 to parse over 9000 property lists
-FLAG(int32, plist_iterations, 100, "Iterations to execute plist benchmark");
-
-class PlistBenchmark : public testing::Test {};
-
-TEST_F(PlistBenchmark, bench_parse_plist_content) {
- // using LOG(ERROR) as a quick hack so that gtest displays the log line even
- // when the test passes
- LOG(ERROR) << "Starting: " << getAsciiTime();
- LOG(ERROR) << "Performing " << FLAGS_plist_iterations << " iterations";
- int time = getUnixTime();
- for (int i = 0; i < FLAGS_plist_iterations; ++i) {
- std::string content;
- readFile(kTestDataPath + "test.plist", content);
-
- pt::ptree tree;
- auto s = parsePlistContent(content, tree);
- EXPECT_TRUE(s.ok());
-
- EXPECT_EQ(s.toString(), "OK");
- EXPECT_EQ(tree.get<bool>("Disabled"), true);
- EXPECT_THROW(tree.get<bool>("foobar"), pt::ptree_bad_path);
- EXPECT_EQ(tree.get<std::string>("Label"), "com.apple.FileSyncAgent.sshd");
- std::vector<std::string> program_arguments = {
- "/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/"
- "FileSyncAgent_sshd-keygen-wrapper",
- "-i",
- "-f",
- "/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/"
- "FileSyncAgent_sshd_config",
- };
- pt::ptree program_arguments_tree = tree.get_child("ProgramArguments");
- std::vector<std::string> program_arguments_parsed;
- for (const auto& argument : program_arguments_tree) {
- program_arguments_parsed.push_back(argument.second.get<std::string>(""));
- }
- EXPECT_EQ(program_arguments_parsed, program_arguments);
- }
- LOG(ERROR) << "Ending: " << getAsciiTime();
- LOG(ERROR) << "Benchmark executed in " << (getUnixTime() - time)
- << " seconds";
-}
-}
-
-int main(int argc, char* argv[]) {
- google::ParseCommandLineFlags(&argc, &argv, true);
- testing::InitGoogleTest(&argc, argv);
- google::InitGoogleLogging(argv[0]);
- return RUN_ALL_TESTS();
-}
+++ /dev/null
-{
- // New, recommended query schedule
- "schedule": {
- "time2": {"query": "select * from time;", "interval": 1}
- },
-
- // Deprecated collection for file monitoring
- "additional_monitoring" : {
- "file_paths": {
- "downloads": [
- "/tmp/osquery-fstests-pattern/%%"
- ]
- }
- },
-
- // New, recommended file monitoring (top-level)
- "file_paths": {
- "downloads2": [
- "/tmp/osquery-fstests-pattern/%%"
- ],
- "system_binaries": [
- "/tmp/osquery-fstests-pattern/%",
- "/tmp/osquery-fstests-pattern/deep11/%"
- ]
- }
-}
-
-// The horror!!!
-,
+++ /dev/null
-{
- // New, recommended query schedule
- "schedule": {
- "time2": {"query": "select * from time;", "interval": 1}
- },
-
- // Deprecated collection for file monitoring
- "additional_monitoring" : {
- "file_paths": {
- "downloads": [
- "/tmp/osquery-tests/fstree/%%"
- ]
- }
- },
-
- // New, recommended file monitoring (top-level)
- "file_paths": {
- "downloads2": [
- "/tmp/osquery-tests/fstree/%%"
- ],
- "system_binaries": [
- "/tmp/osquery-tests/fstree/%",
- "/tmp/osquery-tests/fstree/deep11/%"
- ]
- },
-
- // Add files containing packs of queries.
- // The queries may have platform and version requirements.
- "packs": {
- "test_pack": {
- "queries": {}
- }
- },
- // New top level key for the ATC system
- "auto_table_construction" : {
- "test_atc" : {
- "query" : "SELECT * FROM test_table",
- "path" : "test_atc_db.db",
- "columns" : ["a_number", "some_test", "a_float"]
- }
- }
-}
+++ /dev/null
-{
- "options":{
- "custom_optionC" : "optionc-val",
- "custom_optionD" : "optiond-val"
- }
-}
+++ /dev/null
-{
- "schedule": {
- "time_again": {"query": "select * from time;", "interval": 1}
- },
- "options":{
- "custom_optionA" : "optiona-val",
- "custom_optionB" : "optionb-val"
- },
- "additional_monitoring" : {
- "other_thing" : {"element" : "key"}
- }
-}
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#include <iostream>
-#include <string>
-
-int main(int argc, char* argv[]) {
- auto s = "foobar";
- std::cout << s << std::endl;
- return 0;
-}
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>Disabled</key>
- <true/>
- <key>Label</key>
- <string>com.apple.FileSyncAgent.sshd</string>
- <key>ProgramArguments</key>
- <array>
- <string>/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd-keygen-wrapper</string>
- <string>-i</string>
- <string>-f</string>
- <string>/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/FileSyncAgent_sshd_config</string>
- </array>
- <key>SessionCreate</key>
- <true/>
- <key>Sockets</key>
- <dict>
- <key>Listeners</key>
- <dict>
- <key>SockServiceName</key>
- <string>appleugcontrol</string>
- <key>Bonjour</key>
- <true/>
- </dict>
- </dict>
- <key>StandardErrorPath</key>
- <string>/dev/null</string>
- <key>inetdCompatibility</key>
- <dict>
- <key>Wait</key>
- <false/>
- </dict>
- <key>com.apple.Sync</key>
- <string>TestDotStringAsKey</string>
-</dict>
-</plist>
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>Counter</key>
- <integer>2</integer>
- <key>KnownNetworks</key>
- <dict>
- <key>wifi.ssid.<47f70e38 5cd1d54b 69></key>
- <dict>
- <key>AutoLogin</key>
- <false/>
- <key>Captive</key>
- <true/>
- <key>ChannelHistory</key>
- <array>
- <dict>
- <key>Channel</key>
- <integer>161</integer>
- <key>Timestamp</key>
- <date>2015-07-20T23:28:03Z</date>
- </dict>
- </array>
- <key>Closed</key>
- <false/>
- <key>CollocatedGroup</key>
- <array>
- <string>foo</string>
- <string>bar</string>
- </array>
- <key>Disabled</key>
- <false/>
- <key>LastConnected</key>
- <date>2015-07-20T23:28:03Z</date>
- <key>Passpoint</key>
- <false/>
- <key>PossiblyHiddenNetwork</key>
- <false/>
- <key>RoamingProfileType</key>
- <string>None</string>
- <key>SPRoaming</key>
- <false/>
- <key>SSID</key>
- <data>
- helloWOrld=
- </data>
- <key>SSIDString</key>
- <string>WhyFi</string>
- <key>SecurityType</key>
- <string>Open</string>
- <key>SystemMode</key>
- <true/>
- <key>TemporarilyDisabled</key>
- <false/>
- </dict>
- <key>wifi.ssid.<06fa78ca 7a47b05e b61d74cc 2e9e6622></key>
- <dict>
- <key>AutoLogin</key>
- <false/>
- <key>Captive</key>
- <false/>
- <key>ChannelHistory</key>
- <array>
- <dict>
- <key>Channel</key>
- <integer>11</integer>
- <key>Timestamp</key>
- <date>2014-12-29T08:56:02Z</date>
- </dict>
- </array>
- <key>Closed</key>
- <false/>
- <key>CollocatedGroup</key>
- <array/>
- <key>Disabled</key>
- <false/>
- <key>LastConnected</key>
- <date>2014-12-29T08:56:01Z</date>
- <key>Passpoint</key>
- <false/>
- <key>PossiblyHiddenNetwork</key>
- <false/>
- <key>RoamingProfileType</key>
- <string>Single</string>
- <key>SPRoaming</key>
- <false/>
- <key>SSID</key>
- <data>
- KJDSKDSHAKD
- </data>
- <key>SSIDString</key>
- <string>High-Fi</string>
- <key>SecurityType</key>
- <string>WPA2 Personal</string>
- <key>SystemMode</key>
- <true/>
- <key>TemporarilyDisabled</key>
- <false/>
- </dict>
- </dict>
- <key>Version</key>
- <integer>2200</integer>
-</dict>
-</plist>
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>RememberedNetworks</key>
- <array>
- <dict>
- <key>AutoLogin</key>
- <false/>
- <key>Captive</key>
- <true/>
- <key>ChannelHistory</key>
- <array>
- <dict>
- <key>Channel</key>
- <integer>161</integer>
- <key>Timestamp</key>
- <date>2015-07-20T23:28:03Z</date>
- </dict>
- </array>
- <key>Closed</key>
- <false/>
- <key>CollocatedGroup</key>
- <array>
- <string>foo</string>
- <string>bar</string>
- </array>
- <key>Disabled</key>
- <false/>
- <key>LastConnected</key>
- <date>2015-07-20T23:28:03Z</date>
- <key>Passpoint</key>
- <false/>
- <key>PossiblyHiddenNetwork</key>
- <false/>
- <key>RoamingProfileType</key>
- <string>None</string>
- <key>SPRoaming</key>
- <false/>
- <key>SSID</key>
- <data>
- helloWOrld=
- </data>
- <key>SSIDString</key>
- <string>WhyFi</string>
- <key>SecurityType</key>
- <string>Open</string>
- <key>SystemMode</key>
- <true/>
- <key>TemporarilyDisabled</key>
- <false/>
- </dict>
- <dict>
- <key>AutoLogin</key>
- <false/>
- <key>Captive</key>
- <false/>
- <key>ChannelHistory</key>
- <array>
- <dict>
- <key>Channel</key>
- <integer>11</integer>
- <key>Timestamp</key>
- <date>2014-12-29T08:56:02Z</date>
- </dict>
- </array>
- <key>Closed</key>
- <false/>
- <key>CollocatedGroup</key>
- <array/>
- <key>Disabled</key>
- <false/>
- <key>LastConnected</key>
- <date>2014-12-29T08:56:01Z</date>
- <key>Passpoint</key>
- <false/>
- <key>PossiblyHiddenNetwork</key>
- <false/>
- <key>RoamingProfileType</key>
- <string>Single</string>
- <key>SPRoaming</key>
- <false/>
- <key>SSID</key>
- <data>
- KJDSKDSHAKD
- </data>
- <key>SSIDString</key>
- <string>High-Fi</string>
- <key>SecurityType</key>
- <string>WPA2 Personal</string>
- <key>SystemMode</key>
- <true/>
- <key>TemporarilyDisabled</key>
- <false/>
- </dict>
- </array>
- <key>Version</key>
- <integer>14</integer>
-</dict>
-</plist>
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>allowsignedenabled</key>
- <integer>1</integer>
- <key>applications</key>
- <array/>
- <key>exceptions</key>
- <array>
- <dict>
- <key>path</key>
- <string>/usr/libexec/configd</string>
- <key>state</key>
- <integer>3</integer>
- </dict>
- <dict>
- <key>path</key>
- <string>/usr/sbin/mDNSResponder</string>
- <key>state</key>
- <integer>3</integer>
- </dict>
- <dict>
- <key>path</key>
- <string>/usr/sbin/racoon</string>
- <key>state</key>
- <integer>3</integer>
- </dict>
- <dict>
- <key>path</key>
- <string>/usr/bin/nmblookup</string>
- <key>state</key>
- <integer>3</integer>
- </dict>
- <dict>
- <key>path</key>
- <string>/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig</string>
- <key>state</key>
- <integer>3</integer>
- </dict>
- </array>
- <key>explicitauths</key>
- <array>
- <dict>
- <key>id</key>
- <string>org.python.python.app</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.ruby</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.a2p</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.javajdk16.cmd</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.php</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.nc</string>
- </dict>
- <dict>
- <key>id</key>
- <string>com.apple.ksh</string>
- </dict>
- </array>
- <key>firewall</key>
- <dict>
- <key>Apple Remote Desktop</key>
- <dict>
- <key>proc</key>
- <string>AppleVNCServer</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>FTP Access</key>
- <dict>
- <key>proc</key>
- <string>ftpd</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>ODSAgent</key>
- <dict>
- <key>proc</key>
- <string>ODSAgent</string>
- <key>servicebundleid</key>
- <string>com.apple.ODSAgent</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Personal File Sharing</key>
- <dict>
- <key>proc</key>
- <string>AppleFileServer</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Personal Web Sharing</key>
- <dict>
- <key>proc</key>
- <string>httpd</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Printer Sharing</key>
- <dict>
- <key>proc</key>
- <string>cupsd</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Remote Apple Events</key>
- <dict>
- <key>proc</key>
- <string>AEServer</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Remote Login - SSH</key>
- <dict>
- <key>proc</key>
- <string>sshd-keygen-wrapper</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- <key>Samba Sharing</key>
- <dict>
- <key>proc</key>
- <string>smbd</string>
- <key>state</key>
- <integer>0</integer>
- </dict>
- </dict>
- <key>firewallunload</key>
- <integer>0</integer>
- <key>globalstate</key>
- <integer>0</integer>
- <key>loggingenabled</key>
- <integer>0</integer>
- <key>loggingoption</key>
- <integer>0</integer>
- <key>stealthenabled</key>
- <integer>0</integer>
- <key>version</key>
- <string>1.0a25</string>
-</dict>
-</plist>
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<array>
- <dict>
- <key>Disabled</key>
- <true/>
- </dict>
-</array>
-</plist>
+++ /dev/null
-MIIESzCCAzOgAwIBAgIJAI1bGeY2YPlhMA0GCSqGSIb3DQEBBQUAMIG7MQswCQYD
-VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ
-MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph
-dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ
-KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDA4MTkx
-OTEyMTZaFw0xNTA4MTkxOTEyMTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ
-U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu
-aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE
-AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv
-Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAM6EsaVoMaHrYqH/s4YlhF6ke1XmUhzksB2eqpNqdgZw1JcZi9droRpuYmIf
-bNyvWqUffHW9mKRv+udF5Woueshn+7Kj9YnnL9jfMzFaVEC8WRwWk54RIdNkxgFq
-dqlaiwBWLvZkNUS9k/nugxVTbNu/GTqQlUG1XsIWBDJ2qRqniRfMKrfBKOxPYCZA
-l7KeFguRA+xOsA7/71OMXJZKneMSWN8duTQCFt7uYCQXWc/IV6BfKTaR/ZQQ4w7/
-iEMYPMZPSNprjun7rx0r2zPZGyrkGSCiS+4e+dfy0NbmYXodGHDxb/vBlm4q8CqF
-OoH9aq0F/3581uZcuvU2ydX/LWcCAwEAAaNQME4wHQYDVR0OBBYEFPK5mwDg7mDV
-fEJs4+ZOP9xvZBHAMB8GA1UdIwQYMBaAFPK5mwDg7mDVfEJs4+ZOP9xvZBHAMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKNNP6f0JKxBtfq8hakrhHyl
-cSN83SmVPcrsTLeaW8w0hi+JOtNOjD9sM8KNSbmLXfhRH4yPqYV+0dpJi5+SeelW
-DjxZwbcFoI4EEu+zqufTUpu0T51eqnGvIedlIu1i2CiaoAJEmAN2OKQuN7uIQW27
-2gL/RS+DVkevaidLRh7q2QI23B0n1XZuyEUiUKB1YfTPrupMZkostuyGybAJaxrc
-ONmxUsB38pWJRCef9N/5APS74uIesfxSvEZXcXfPA+wrQY0yXn+bsEhz9pJOxZvD
-WxULUHBC6qH9gAlKEqZYS3CwpCEl/Blznwi30r4CwwQ6dLfeXoPQDxAt7LyPpV4=
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDQCCmbgcppvbEnglmYOFpWq84Ul9e37qMzL2FPTqf6dKOh6oe3
-metcsj+neweT+xDPI6ZZ9e8/fUcvK1oFqUiVXtl7QIWG5FEaGpbmehXqAU1FfpgB
-LECWiUYqNO7Uo1kmWygiNErSiib97wP6JL4SNNz0riqoAwSuq0EKo0wJfwIDAQAB
-AoGBAKs6vLyR5UCJ8WIayZIgeEM0oKiUnut3Uf9UdV0o2dyt2u3wNAtsdqzSztAU
-1RT5p0lIB6muY2G3xTrPDQbx4poK9wPyqm58sMwS0Z4hCPNO62m29e63r6zT9KGO
-rbbTgyloPqf4n2shR80RkRkkicYkCADIejRtUib8/KzfXoOxAkEA+SX4tx2vmLU7
-nJuE3eH/HksiyKEetVxlg2ry2jM/7opQKQ0bHaVGimILtBzRPuKR4wXhifsUljkh
-w0SnkHyDdwJBANXAuiw07/aSutusjMUI7JTjzqb9DQavjJgIYQyS3VzWBuKb9Y5s
-PQWRpwljx6A/Rc42GYzyxhaOrhGfOBdMXDkCQH4gi+VfgNpkvPXOARg2ZWlXjhdV
-AW+8g6Ngy+pMUYwXtvbhLJ34YlqBwfz/LaqRFluASaoJUmWuLHpm0hEiB4cCQQDD
-RQNOqzWkTbsCP4mB3nsyMUJx7q5dszV/FfiCohAzZRp5HfyflWXRlpO/0jVlwSem
-EGobBxXLOaDvXELDlfCRAkAE9a5k4UzsIwZ8TnWKt4DMO44bLcr+0Sw/ODhGGCv+
-OSCIFu5DA5wF3yoWZJ5hP12e+aGq45NA+/3svrbSCc/d
------END RSA PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIICGDCCAYECAQcwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCkNhbGlmb3JuaWExGDAWBgNVBAoTD29zcXVlcnktdGVzdGluZzEdMBsGA1UE
-AxMUb3NxdWVyeS11bml0dGVzdHMtY2EwHhcNMTUwNjEzMDkxMTMwWhcNMjUwNjEw
-MDkxMTMwWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEYMBYG
-A1UEChMPb3NxdWVyeS10ZXN0aW5nMRAwDgYDVQQDEwdjbGllbnQxMIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDQCCmbgcppvbEnglmYOFpWq84Ul9e37qMzL2FP
-Tqf6dKOh6oe3metcsj+neweT+xDPI6ZZ9e8/fUcvK1oFqUiVXtl7QIWG5FEaGpbm
-ehXqAU1FfpgBLECWiUYqNO7Uo1kmWygiNErSiib97wP6JL4SNNz0riqoAwSuq0EK
-o0wJfwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAHPsSk3VsqpG6rxH7rG230e4Zlpu
-7sOfxcRdmxOF37+EtRg1AD96IQlJ2LymgGMNRyajzRl4993QEvxn9w/myHF5fFpb
-rMM/ukO2Ov2Wh/gWzGMFy+est4ubFp63dMCjo3Et9LDftaIOs3PP4Igc5UNVlpGq
-osyeKmz3+lbBBjOH
------END CERTIFICATE-----
+++ /dev/null
-this_is_a_deployment_secret
+++ /dev/null
-##
-#Host Database
-#
-#localhost is used to configure the loopback interface
-#when the system is booting. Do not change this entry.
-##
-127.0.0.1 localhost
-255.255.255.255 broadcasthost
-::1 localhost
-fe80::1%lo0 localhost
-127.0.0.1 example.com example
-127.0.0.1 example.net # This is a comment
+++ /dev/null
-# Copyright (c) 1993-2001 Microsoft Corp.
-#
-# This file has been automatically generated for use by Microsoft Internet
-# Connection Sharing. It contains the mappings of IP addresses to host names
-# for the home network. Please do not make changes to the HOSTS.ICS file.
-# Any changes may result in a loss of connectivity between machines on the
-# local network.
-#
-
-192.168.11.81 VM-q27rkc8son.mshome.net # 2023 7 6 8 20 49 1 850
-
-
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>BuildMachineOSBuild</key>
- <string>13C23</string>
- <key>CFBundleDevelopmentRegion</key>
- <string>English</string>
- <key>CFBundleDocumentTypes</key>
- <array>
- <dict>
- <key>CFBundleTypeExtensions</key>
- <array>
- <string>Photo Booth</string>
- </array>
- <key>CFBundleTypeIconFile</key>
- <string>PBLibraryIcon</string>
- <key>CFBundleTypeName</key>
- <string>Photo Booth Library</string>
- <key>CFBundleTypeOSTypes</key>
- <array>
- <string>PBLb</string>
- </array>
- <key>CFBundleTypeRole</key>
- <string>Viewer</string>
- <key>LSTypeIsPackage</key>
- <true/>
- <key>NSDocumentClass</key>
- <string>ArchiveDocument</string>
- </dict>
- </array>
- <key>CFBundleExecutable</key>
- <string>Photo Booth</string>
- <key>CFBundleHelpBookFolder</key>
- <string>PhotoBooth.help</string>
- <key>CFBundleHelpBookName</key>
- <string>com.apple.PhotoBooth.help</string>
- <key>CFBundleIconFile</key>
- <string>PhotoBooth.icns</string>
- <key>CFBundleIdentifier</key>
- <string>com.apple.PhotoBooth</string>
- <key>CFBundleInfoDictionaryVersion</key>
- <string>6.0</string>
- <key>CFBundlePackageType</key>
- <string>APPL</string>
- <key>CFBundleShortVersionString</key>
- <string>6.0</string>
- <key>CFBundleSignature</key>
- <string>PhBo</string>
- <key>CFBundleVersion</key>
- <string>517</string>
- <key>DTCompiler</key>
- <string>com.apple.compilers.llvm.clang.1_0</string>
- <key>DTPlatformBuild</key>
- <string>5A2053</string>
- <key>DTPlatformVersion</key>
- <string>GM</string>
- <key>DTSDKBuild</key>
- <string>13C23</string>
- <key>DTSDKName</key>
- <string></string>
- <key>DTXcode</key>
- <string>0501</string>
- <key>DTXcodeBuild</key>
- <string>5A2053</string>
- <key>LSApplicationCategoryType</key>
- <string>public.app-category.entertainment</string>
- <key>LSMinimumSystemVersion</key>
- <string>10.7.0</string>
- <key>NSMainNibFile</key>
- <string>MainMenu</string>
- <key>NSPrincipalClass</key>
- <string>PBApplication</string>
- <key>NSSupportsAutomaticGraphicsSwitching</key>
- <true/>
- <key>NSSupportsSuddenTermination</key>
- <string>YES</string>
-</dict>
-</plist>
+++ /dev/null
-{
- "packs": {
- "unrestricted_pack": {
- "version": "1.5.0",
- "queries": {
- "process_events": {
- "query": "select distinct path, cmdline, uid, euid, environment from process_events;",
- "interval": 3600,
- "version": "1.5.1-26",
- "removed": false
- },
- "process_heartbeat": {
- "query": "select * from osquery_info",
- "interval": 3600,
- "blacklist": false
- }
- },
- "file_paths": {
- "unrestricted_pack": [
- "/unrestricted",
- "/unrestricted/also"
- ]
- }
- },
- "discovery_pack": {
- "platform": "all",
- "version": "1.5.0",
- "discovery": [
- "select pid from processes where name = 'foobar';"
- ],
- "queries": {
- "kernel_modules": {
- "query": "select * from kernel_modules;",
- "interval": 3600
- },
- "totally_fake": {
- "query": "select * from kernel_modules;",
- "interval": 3600,
- "platform": "lol"
- }
- }
- },
- "fake_version_pack": {
- "version": "9.9.9",
- "queries": {}
- },
- "valid_discovery_pack": {
- "discovery": [
- "select * from osquery_info;"
- ],
- "queries": {
- "kernel_modules": {
- "query": "select * from kernel_modules;",
- "interval": 3600
- }
- }
- },
- "restricted_pack": {
- "version": "9.9.9",
- "platform": "none",
- "shard": "1",
- "file_paths": {
- "restricted_pack": ["/restricted"]
- }
- }
- },
- "schedule": {
- "launchd": {
- "query": "select * from launchd;",
- "interval": 3600
- }
- }
-}
+++ /dev/null
-{
-"table": {
- "testSwitch":true,
- "test2Switch":false
- }
-}
+++ /dev/null
-{
-"table": {
- 1:true
- "test2Switch":false
- }
-}
+++ /dev/null
-{
-"table": {
- "testSwitch":4,
- "test2Switch":false
- }
-}
+++ /dev/null
-{
-"pseudo_table": {
- "testSwitch":true,
- "test2Switch":false
- }
-}
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>Label</key>
- <string>com.apple.mDNSResponder</string>
- <key>OnDemand</key>
- <false/>
- <key>InitGroups</key>
- <false/>
- <key>UserName</key>
- <string>_mdnsresponder</string>
- <key>GroupName</key>
- <string>_mdnsresponder</string>
- <key>ProgramArguments</key>
- <array>
- <string>/usr/sbin/mDNSResponder</string>
- </array>
- <key>MachServices</key>
- <dict>
- <key>com.apple.mDNSResponder</key>
- <true/>
- <key>com.apple.mDNSResponder.dnsproxy</key>
- <true/>
- </dict>
- <key>Sockets</key>
- <dict>
- <key>Listeners</key>
- <dict>
- <key>SockFamily</key>
- <string>Unix</string>
- <key>SockPathName</key>
- <string>/var/run/mDNSResponder</string>
- <key>SockPathMode</key>
- <integer>438</integer>
- </dict>
- </dict>
- <key>EnableTransactions</key>
- <true/>
- <key>BeginTransactionAtShutdown</key>
- <true/>
- <key>POSIXSpawnType</key>
- <string>Interactive</string>
-</dict>
-</plist>
+++ /dev/null
-{
- "packs": {
- // This pack is "non-inline", meaning it should trigger genPack.
- "tester": "lester",
- // This pack is "inlined", the content is a JSON dictionary.
- "foobar": {
- "version": "1.5.0",
- "queries": {
- "kernel_modules": {
- "query": "select * from kernel_modules;",
- "interval": 3600
- }
- }
- }
- }
-}
+++ /dev/null
-{
- "queries": {
- "launchd": {
- "query": "select * from launchd",
- "interval" : "414141",
- "platform" : "whatever",
- "version" : "1.0.0",
- "description" : "Very descriptive description",
- "value" : "Value overflow"
- },
- "evil_things": {
- "query": "select * from time",
- "interval" : "666",
- "platform" : "invalid",
- "version" : "9.9.9",
- "description" : "More descriptive description",
- "value" : "It is dangerous to go alone, take this"
- },
- "simple": {
- "query": "select * from osquery_info",
- "interval": "10"
- }
- }
-}
+++ /dev/null
-{
- "list": [
- "a"
- ],
- "dictionary": {
- "foo": "bar"
- },
- "packs": {
- "foobar": {
- "version": "1.5.0",
- "queries": {
- "kernel_modules": {
- "query": "select * from kernel_modules;",
- "interval": 3600
- }
- }
- },
- "foobar_with_files": {
- "file_paths": {
- "logs": [
- "/dev/random"
- ]
- },
- "file_accesses": [
- "logs",
- "bar"
- ]
- }
- },
- "schedule": {
- "launchd": {
- "query": "select * from launchd;",
- "interval": 3600
- }
- },
- "file_paths": {
- "logs": [
- "/dev/null"
- ],
- "config_files": [
- "/dev",
- "/dev/zero"
- ]
- },
- "file_paths_query": {
- "config_files_query": [
- "select '/dev/urandom' as path;"
- ]
- },
- "file_accesses": [
- "logs"
- ],
- "events": {
- "environment_variables": [
- "foo",
- "bar"
- ]
- },
- "decorators": {
- "load": [
- "select version from osquery_info",
- "select uuid as hostuuid from system_info",
- "select 'test' as load_test"
- ],
- "always": [
- "select user as username from logged_in_users where user <> '' order by time limit 1;",
- "select 'test' as always_test"
- ],
- "interval": {
- "60": [
- "select 1 as one from time",
- "select 'test' as internal_60_test"
- ],
- "61": [
- "select 'invalid' as invalid_interval_test"
- ]
- }
- },
- "views": {
- "kernel_hashes": "select hash.path as kernel_binary, version, hash.sha256 as sha256, hash.sha1 as sha1, hash.md5 as md5 from (select path || '/Contents/MacOS/' as directory, name, version from kernel_extensions) join hash using (directory)"
- }
-}
+++ /dev/null
-#
-# Internet protocols
-#
-# $FreeBSD: src/etc/protocols,v 1.14 2000/09/24 11:20:27 asmodai Exp $
-# from: @(#)protocols 5.1 (Berkeley) 4/17/89
-#
-# See also http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
-#
-ip 0 IP # internet protocol, pseudo protocol number
-#hopopt 0 HOPOPT # hop-by-hop options for ipv6
-icmp 1 ICMP # internet control message protocol
-tcp 6 TCP # transmission control protocol
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA7y/3c/qkoMMfXY/BHQ3nmFeBTjka3s+gkocYhFspQ3m3iRFx
-1FxPcuwfSvwqX5RqWq3n5rZO8oCmgTKBC00WlVfgT48fIj0DaLqpR8/071Q7aaPf
-G/CiqTd/Uyu7m4pIGuoYuc8lMYfwmbwRxxmESbb0soFhmxTG7ek5Kr9fa89QK2Nh
-Oi2Xa+hmrpaTZp0elFRf0rOYNI8rS3FomIHRsy/rZwupSLAwdudrQCV9borEz/0u
-s0/hd1IjUArnsd1UFrFB13WDHps1qZ838ELuH5Iq5eIuUAXgpcoCLIH7BO7Rxtsv
-3Ecqp8qbMoelEqLGu7zBBBWF0Ta4orEPP2ph4QIDAQABAoIBADJIAhwGd6839ZME
-klMaRjJXSt530LdALIBBGB1S0KTXpIaS/TvoP+dnzdhElF/NYmI3psVwU75U3yvP
-wyLuDK5Ob+AptSDMdLgCbW2kQNhC+85kXZWRC5DJEuIYEnNLKYdG6PW+nxH/gsu+
-pnoVWiLo7B3OZwdj4cHHwnXDDzspTKN9UJHtN75feW7qj8Wx+IObcEJUrDwK/v/P
-MjewHJ8OWmgr/nUVqFxmVYn+3VQOcoF1jFXShihqg4op3LeHbGcCenY78+MBFOrE
-xzBQC9IQiRV/ayrHhEo1RGMg7vFOAqPFgcXMA7y2blrjgngMJ+SofBthuZH28mPB
-JjDR1wUCgYEA+xFl/OHmcW0oVOIfPMQ7NNv6JAE3+i+5nYuJcIZoEH85Xdr5YtF5
-xGyn5pZ3HLR6OiNMRBRhwvHSIMEkI/357EjAjbnM2OG8kU6CzQ+6tG/jsVeYDNKN
-CQejL9atkOwC1b2UmP8ajfRu2tsXQmOCi/iddk/7qWmUYOJsrvbxN58CgYEA8+LS
-VkrnLhq2MArdFDfziKg+NwdL9ppk2t4F/x2FsKTBI/mMGo5Acqdvs6GXM1CLGJpx
-XvQ0Q/b3SWXKj0bGI/3m3XcovxGTLudfDV9Ph7VvbKQTmYrzG8fR7ev2wIjzpCYc
-nyoRu6msmVnpst9QsRNG0ca92GWeIwDPVL6T9n8CgYAz9IPAcxb2/fnMpwaD0q/V
-3nfDH6Vv1pR4r7l/WbELSOicLYZSFrs2FK4iH50Cia6JfWh45ibc6qHrOUy7TgF8
-DgoaygpED2KwRyj2On0OfeEGf/PtI10gMz5n1esRBGYJyTOI/bGHEsAl9hS4HlOT
-l50uMJsJkdmsuu52vo9oTQKBgQDWsh2SI5xB5PfvcRDQBLVZ3yntzXmc3KveVMeY
-nweayl7QaZVhp0qq5CUcUCtH3CanAQa+nWIJVra4oWhhGt/AvXpoCccP9MvJ5Zqy
-re3YPOubCxHKAB0lnpF6zlfJhIZfQcG+iA1WU/cChLmLYrWpPJwCfd+QSVyd2c+q
-/Z5JxwKBgQDuitXKKlkMfXzlubcPYt2f3sRpv6op3u9BpNDWH6HJg+APO0a3F4vE
-C7BexnegFYhGJemkTnPvcrBUGvtVcailgZbWLUZfiQC3xPvWGnqqKN+KALHL77Gz
-/ZmV6BPQ+becihdTEGkyC8KHDgCy4TGQefds4IUAVDETWm5Hti8ruQ==
------END RSA PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIICnjCCAgcCAQgwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCkNhbGlmb3JuaWExGDAWBgNVBAoTD29zcXVlcnktdGVzdGluZzEdMBsGA1UE
-AxMUb3NxdWVyeS11bml0dGVzdHMtY2EwHhcNMTUwNjEzMDkxMjE2WhcNMjUwNjEw
-MDkxMjE2WjBQMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEYMBYG
-A1UEChMPb3NxdWVyeS10ZXN0aW5nMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvL/dz+qSgwx9dj8EdDeeYV4FOORre
-z6CShxiEWylDebeJEXHUXE9y7B9K/CpflGparefmtk7ygKaBMoELTRaVV+BPjx8i
-PQNouqlHz/TvVDtpo98b8KKpN39TK7ubikga6hi5zyUxh/CZvBHHGYRJtvSygWGb
-FMbt6Tkqv19rz1ArY2E6LZdr6GaulpNmnR6UVF/Ss5g0jytLcWiYgdGzL+tnC6lI
-sDB252tAJX1uisTP/S6zT+F3UiNQCuex3VQWsUHXdYMemzWpnzfwQu4fkirl4i5Q
-BeClygIsgfsE7tHG2y/cRyqnypsyh6USosa7vMEEFYXRNriisQ8/amHhAgMBAAEw
-DQYJKoZIhvcNAQEFBQADgYEAUfVwwbK05VfVdRuZ/vwy2mX2PCwLVCIQoK4eYQxB
-xscEKbOpgpk8twWWMqnfvXbzR8glKu7gExtasae07s2NMUYf2x/mSZG+SbpYdYdu
-6VgZ8DXNmRxo1GfetMiMnqAuS94+G6eIqZmAQGI/j/Feld/Gi5dGaZ/qW1PSDex8
-BQU=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIC9TCCAl6gAwIBAgIJAPQteZms04jzMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRgwFgYDVQQKEw9vc3F1ZXJ5LXRl
-c3RpbmcxHTAbBgNVBAMTFG9zcXVlcnktdW5pdHRlc3RzLWNhMB4XDTE1MDYxMzA5
-MTA0MVoXDTI1MDYxMDA5MTA0MVowWzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
-bGlmb3JuaWExGDAWBgNVBAoTD29zcXVlcnktdGVzdGluZzEdMBsGA1UEAxMUb3Nx
-dWVyeS11bml0dGVzdHMtY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMF0
-ATxoOhtKaGfudIupedTjUfn6ruUkr8f6VTLUJ2TSigGMvGg5HJpguFegO+e2Gawp
-Dp7Y4lHROLfzpjofWTHTU6b+tHW7OqqGTQ06tn/Mtx8mq+qePuWjVlktFjgnUqsw
-fMJmsVAC9bH7WUQXYO7jI/VzHlTKWX1L7H/h8MRNAgMBAAGjgcAwgb0wHQYDVR0O
-BBYEFL3igtnOtftEOPtUPklj2Dm4Z6nWMIGNBgNVHSMEgYUwgYKAFL3igtnOtftE
-OPtUPklj2Dm4Z6nWoV+kXTBbMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
-cm5pYTEYMBYGA1UEChMPb3NxdWVyeS10ZXN0aW5nMR0wGwYDVQQDExRvc3F1ZXJ5
-LXVuaXR0ZXN0cy1jYYIJAPQteZms04jzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
-AQEFBQADgYEAB2cBWFMbR5FhQ1fGQRIoXYsp96DbMa7nhBFsdHvTbiqEMQuTUQbO
-yB9UFylMlzPU0OjMgH0R6ILhPXaSIS7hyK1cmp2ZqgUBrR3G1VV/6TWpP4Y+lnXG
-4vdEtyEEo7p8XLmcm88Ig7LgqUzZrtgoknd2fIPsKjEqdq4P7cCiqFc=
------END CERTIFICATE-----
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>SessionItems</key>
- <dict>
- <key>Controller</key>
- <string>CustomListItems</string>
- <key>CustomListItems</key>
- <array>
- <dict>
- <key>Alias</key>
- <data>
- AAAAAADYAAMAAQAA1MnZcwAASCsAAAAAAAEIfQABCIAA
- ANQ/KS0AAAAACSD//gAAAAAAAAAA/////wABABAAAQh9
- AAEIawABCGoAAAA/AA4AIgAQAGkAVAB1AG4AZQBzAEgA
- ZQBsAHAAZQByAC4AYQBwAHAADwAaAAwATQBhAGMAaQBu
- AHQAbwBzAGgAIABIAEQAEgA3QXBwbGljYXRpb25zL2lU
- dW5lcy5hcHAvQ29udGVudHMvTWFjT1MvaVR1bmVzSGVs
- cGVyLmFwcAAAEwABLwD//wAA
- </data>
- <key>CustomItemProperties</key>
- <dict>
- <key>com.apple.LSSharedFileList.Binding</key>
- <data>
- ZG5pYgAAAAACAAAAAAAAAAAAAAAAAAAAAAAA
- AEkAAAAAAAAAZmlsZTovL2xvY2FsaG9zdC9B
- cHBsaWNhdGlvbnMvaVR1bmVzLmFwcC9Db250
- ZW50cy9NYWNPUy9pVHVuZXNIZWxwZXIuYXBw
- LxYAAAAAAAAAY29tLmFwcGxlLmlUdW5lc0hl
- bHBlcnjkpwAAAAAAjkCQFAIAAABifXQZ
- </data>
- <key>com.apple.LSSharedFileList.ItemIsHidden</key>
- <true/>
- </dict>
- <key>Flags</key>
- <integer>1</integer>
- <key>Name</key>
- <string>iTunesHelper</string>
- </dict>
- <dict>
- <key>Alias</key>
- <data>
- AAAAAAC+AAMAAAAA1MnZcwAASCsAAAAAAAZi5gHZbDMA
- ANZq9vsAAAAACSD//gAAAAAAAAAA/////wABAAgABmLm
- AAZhyAAOACgAEwB0AGgAaQBzAF8AZABvAGUAcwBfAG4A
- bwB0AF8AZQB4AGkAcwB0AA8AGgAMAE0AYQBjAGkAbgB0
- AG8AcwBoACAASABEABIAH3ByaXZhdGUvdG1wL3RoaXNf
- ZG9lc19ub3RfZXhpc3QAABMAAS8A//8AAA==
- </data>
- <key>CustomItemProperties</key>
- <dict>
- <key>com.apple.LSSharedFileList.Binding</key>
- <data>
- ZG5pYgAAAAABAAAAAAAAAAAAAAAAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAA
- </data>
- </dict>
- <key>Name</key>
- <string>this_does_not_exist</string>
- </dict>
- </array>
- </dict>
-</dict>
-</plist>
+++ /dev/null
-This file is to test extended attributes on Darwin.
+++ /dev/null
-{
- "views" : {
- "kernel_hashes_new" : "select hash.path as kernel_binary, version, hash.sha256 as sha256, hash.sha1 as sha1, hash.md5 as md5 from (select path || '/Contents/MacOS/' as directory, name, version from kernel_extensions) join hash using (directory)"
- }
-}
+++ /dev/null
-{
- "views" : {
- "kernel_hashes_new" : "select hash.path as binary, version, hash.sha256 as SHA256, hash.sha1 as SHA1, hash.md5 as MD5 from (select path || '/Contents/MacOS/' as directory, name, version from kernel_extensions) join hash using (directory)"
- }
-}