Merge pull request #11 from palantir/fixing_intervals

Fixing interval values in YAML files for Fleet

Author: clong

Fleet/Endpoints/MacOS/osquery.yaml

@@ -6,285 +6,285 @@ spec:
   queries:
   - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/
       which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
-    interval: 0
+    interval: 3600
     name: emond
     platform: darwin
     query: emond
   - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/
       or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)'
-    interval: 0
+    interval: 28800
     name: emond_snapshot
     platform: darwin
     query: emond_snapshot
     snapshot: true
   - description: Track time/action changes to files specified in configuration data.
-    interval: 0
+    interval: 300
     name: file_events
     platform: darwin
     query: file_events
     removed: false
   - description: The installed homebrew package database.
-    interval: 0
+    interval: 28800
     name: homebrew_packages_snapshot
     platform: darwin
     query: homebrew_packages_snapshot
     snapshot: true
   - description: List kernel extensions, their signing status, and their hashes (excluding
       extensions signed by Apple)
-    interval: 0
+    interval: 3600
     name: macosx_kextstat
     platform: darwin
     query: macosx_kextstat
   - description: Checks the MD5 hash of /etc/rc.common and records the results if
       the hash differs from the default value. /etc/rc.common can be used for persistence.
-    interval: 0
+    interval: 3600
     name: rc.common
     platform: darwin
     query: rc.common
   - description: Returns information about installed event taps. Can be used to detect
       keyloggers
-    interval: 0
+    interval: 300
     name: event_taps
     platform: darwin
     query: event_taps
   - description: LaunchAgents and LaunchDaemons from default search paths.
-    interval: 0
+    interval: 3600
     name: launchd
     platform: darwin
     query: launchd
   - description: Snapshot query for launchd
-    interval: 0
+    interval: 28800
     name: launchd_snapshot
     platform: darwin
     query: launchd_snapshot
     snapshot: true
   - description: Detect the presence of the LD_PRELOAD environment variable
-    interval: 0
+    interval: 60
     name: ld_preload
     platform: darwin
     query: ld_preload
     removed: false
   - description: USB devices that are actively plugged into the host system.
-    interval: 0
+    interval: 300
     name: usb_devices
     platform: darwin
     query: usb_devices
   - description: System mounted devices and filesystems (not process specific).
-    interval: 0
+    interval: 3600
     name: mounts
     platform: darwin
     query: mounts
     removed: false
   - description: Apple NVRAM variable listing.
-    interval: 0
+    interval: 3600
     name: nvram
     platform: darwin
     query: nvram
     removed: false
   - description: Line parsed values from system and user cron/tab.
-    interval: 0
+    interval: 3600
     name: crontab
     platform: darwin
     query: crontab
   - description: Hardware (PCI/USB/HID) events from UDEV or IOKit.
-    interval: 0
+    interval: 300
     name: hardware_events
     platform: darwin
     query: hardware_events
     removed: false
   - description: The installed homebrew package database.
-    interval: 0
+    interval: 3600
     name: homebrew_packages
     platform: darwin
     query: homebrew_packages
   - description: OS X applications installed in known search paths (e.g., /Applications).
-    interval: 0
+    interval: 3600
     name: installed_applications
     platform: darwin
     query: installed_applications
   - description: System logins and logouts.
-    interval: 0
+    interval: 3600
     name: last
     platform: darwin
     query: last
     removed: false
   - description: Snapshot query for macosx_kextstat
-    interval: 0
+    interval: 28800
     name: macosx_kextstat_snapshot
     platform: darwin
     query: macosx_kextstat_snapshot
     snapshot: true
   - description: Checks the MD5 hash of /etc/rc.common and records the results if
       the hash differs from the default value. /etc/rc.common can be used for persistence.
-    interval: 0
+    interval: 28800
     name: rc.common_snapshot
     platform: darwin
     query: rc.common_snapshot
     snapshot: true
   - description: Safari browser extension details for all users.
-    interval: 0
+    interval: 3600
     name: safari_extensions
     platform: darwin
     query: safari_extensions
   - description: suid binaries in common locations.
-    interval: 0
+    interval: 28800
     name: suid_bin
     platform: darwin
     query: suid_bin
     removed: false
   - description: Local system users.
-    interval: 0
+    interval: 28800
     name: users
     platform: darwin
     query: users
   - description: List authorized_keys for each user on the system
-    interval: 0
+    interval: 28800
     name: authorized_keys
     platform: darwin
     query: authorized_keys
   - description: Application, System, and Mobile App crash logs.
-    interval: 0
+    interval: 3600
     name: crashes
     platform: darwin
     query: crashes
     removed: false
   - description: Displays the percentage of free space available on the primary disk
       partition
-    interval: 0
+    interval: 3600
     name: disk_free_space_pct
     platform: darwin
     query: disk_free_space_pct
     snapshot: true
   - description: Retrieve the interface name, IP address, and MAC address for all
       interfaces on the host.
-    interval: 0
+    interval: 600
     name: network_interfaces_snapshot
     platform: darwin
     query: network_interfaces_snapshot
     snapshot: true
   - description: Information about EFI/UEFI/ROM and platform/boot.
-    interval: 0
+    interval: 28800
     name: platform_info
     platform: darwin
     query: platform_info
     removed: false
   - description: System uptime
-    interval: 0
+    interval: 1800
     name: uptime
     platform: darwin
     query: uptime
     snapshot: true
   - description: MD5 hash of boot.efi
-    interval: 0
+    interval: 28800
     name: boot_efi_hash
     platform: darwin
     query: boot_efi_hash
   - description: Snapshot query for Chrome extensions
-    interval: 0
+    interval: 28800
     name: chrome_extensions_snapshot
     platform: darwin
     query: chrome_extensions_snapshot
   - description: Snapshot query for installed_applications
-    interval: 0
+    interval: 28800
     name: installed_applications_snapshot
     platform: darwin
     query: installed_applications_snapshot
     snapshot: true
   - description: NFS shares exported by the host.
-    interval: 0
+    interval: 3600
     name: nfs_shares
     platform: darwin
     query: nfs_shares
     removed: false
   - description: List the version of the resident operating system
-    interval: 0
+    interval: 28800
     name: os_version
     platform: darwin
     query: os_version
   - description: Applications and binaries set as user/login startup items.
-    interval: 0
+    interval: 3600
     name: startup_items
     platform: darwin
     query: startup_items
   - description: All C/NPAPI browser plugin details for all users.
-    interval: 0
+    interval: 3600
     name: browser_plugins
     platform: darwin
     query: browser_plugins
   - description: List installed Firefox addons for all users
-    interval: 0
+    interval: 3600
     name: firefox_addons
     platform: darwin
     query: firefox_addons
   - description: Discover hosts that have IP forwarding enabled
-    interval: 0
+    interval: 28800
     name: ip_forwarding_enabled
     platform: darwin
     query: ip_forwarding_enabled
     removed: false
   - description: Platform info snapshot query
-    interval: 0
+    interval: 28800
     name: platform_info_snapshot
     platform: darwin
     query: platform_info_snapshot
   - description: Python packages installed in a system.
-    interval: 0
+    interval: 3600
     name: python_packages
     platform: darwin
     query: python_packages
   - description: List installed Chrome Extensions for all users
-    interval: 0
+    interval: 3600
     name: chrome_extensions
     platform: darwin
     query: chrome_extensions
   - description: Disk encryption status and information.
-    interval: 0
+    interval: 3600
     name: disk_encryption
     platform: darwin
     query: disk_encryption
   - description: Local system users.
-    interval: 0
+    interval: 28800
     name: users_snapshot
     platform: darwin
     query: users_snapshot
   - description: OS X known/remembered Wi-Fi networks list.
-    interval: 0
+    interval: 28800
     name: wireless_networks
     platform: darwin
     query: wireless_networks
     removed: false
   - description: Determine if the host is running the expected EFI firmware version
       given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy)
-    interval: 0
+    interval: 28800
     name: efigy
     platform: darwin
     query: efigy
     snapshot: true
   - description: List the contents of /etc/hosts
-    interval: 0
+    interval: 28800
     name: etc_hosts
     platform: darwin
     query: etc_hosts
   - description: Operating system version snapshot query
-    interval: 0
+    interval: 28800
     name: os_version_snapshot
     platform: darwin
     query: os_version_snapshot
     snapshot: true
   - description: Information about the resident osquery process
-    interval: 0
+    interval: 28800
     name: osquery_info
     platform: darwin
     query: osquery_info
     snapshot: true
   - description: Apple's System Integrity Protection (rootless) status.
-    interval: 0
+    interval: 3600
     name: sip_config
     platform: darwin
     query: sip_config
   - description: Returns the private keys in the users ~/.ssh directory and whether
       or not they are encrypted.
-    interval: 0
+    interval: 3600
     name: user_ssh_keys
     platform: darwin
     query: user_ssh_keys