56 lines
1.8 KiB
Plaintext
56 lines
1.8 KiB
Plaintext
{
|
|
"options": {
|
|
"disable_events": "false",
|
|
"utc": "true",
|
|
"logger_mode": "0640",
|
|
"logger_format": "json"
|
|
},
|
|
"schedule": {
|
|
"scheduled_task_persistence": {
|
|
"query": "SELECT path, name, action, enabled, hidden FROM scheduled_tasks;",
|
|
"interval": 3600
|
|
},
|
|
"startup_items": {
|
|
"query": "SELECT name, path, status, source FROM startup_items;",
|
|
"interval": 3600
|
|
},
|
|
"services_persistence": {
|
|
"query": "SELECT name, display_name, path, start_type, status FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START');",
|
|
"interval": 3600
|
|
},
|
|
"system_cron_jobs": {
|
|
"query": "SELECT command, path, interval, time FROM crontab;",
|
|
"interval": 3600
|
|
},
|
|
"user_cron_jobs": {
|
|
"query": "SELECT username, command, path, interval, time FROM crontab WHERE username != 'root';",
|
|
"interval": 3600
|
|
},
|
|
"logon_scripts": {
|
|
"query": "SELECT script_path, username FROM logon_scripts;",
|
|
"interval": 3600
|
|
},
|
|
"setuid_files": {
|
|
"query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '04000') = '04000';",
|
|
"interval": 3600
|
|
},
|
|
"setgid_files": {
|
|
"query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '02000') = '02000';",
|
|
"interval": 3600
|
|
},
|
|
"privilege_escalation_processes": {
|
|
"query": "SELECT pid, name, path, cmdline, uid, gid, euid, egid, suid, sgid, cwd, start_time FROM processes WHERE (uid != euid OR gid != egid);",
|
|
"interval": 300
|
|
}
|
|
},
|
|
"decorators": {
|
|
"load": [
|
|
"SELECT uuid AS host_uuid FROM system_info;",
|
|
"SELECT hostname FROM system_info;",
|
|
"SELECT user AS username FROM logged_in_users WHERE user NOT IN ('_mbsetupuser', 'root') ORDER BY time DESC LIMIT 1;"
|
|
]
|
|
},
|
|
"packs": {}
|
|
}
|
|
|