{"id":20148221,"url":"https://github.com/chainguard-dev/osqtool","last_synced_at":"2025-04-09T15:05:49.104Z","repository":{"id":61326615,"uuid":"548925897","full_name":"chainguard-dev/osqtool","owner":"chainguard-dev","description":"Automated testing, generation \u0026 manipulation of #osquery packs","archived":false,"fork":false,"pushed_at":"2024-10-16T14:17:50.000Z","size":1683,"stargazers_count":72,"open_issues_count":1,"forks_count":6,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-09T15:05:43.345Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-10T12:00:40.000Z","updated_at":"2025-01-20T01:34:09.000Z","dependencies_parsed_at":"2023-12-15T22:27:58.915Z","dependency_job_id":"2ae86165-c270-42e7-b6a0-22c5de989d26","html_url":"https://github.com/chainguard-dev/osqtool","commit_stats":{"total_commits":61,"total_committers":4,"mean_commits":15.25,"dds":0.06557377049180324,"last_synced_commit":"cc12cbe1ccdca89e17f343c102661be1a0ae9b65"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fosqtool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fosqtool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fosqtool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fosqtool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/osqtool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:35:41.913Z","updated_at":"2025-04-09T15:05:49.073Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# osqtool\n\n[![Actions Status](https://github.com/chainguard-dev/osqtool/workflows/Go/badge.svg)](https://github.com/chainguard-dev/osqtool/actions)\n[![Go Report](https://goreportcard.com/badge/github.com/chainguard-dev/osqtool)](https://goreportcard.com/badge/github.com/chainguard-dev/osqtool)\n[![Latest Release](https://img.shields.io/github/v/release/chainguard-dev/osqtool?include_prereleases)](https://github.com/chainguard-dev/osqtool/releases/latest)\n[![stable](http://badges.github.io/stability-badges/dist/stable.svg)](http://github.com/badges/stability-badges)\n\nA swiss-army tool for testing, creating, and manipulating [osquery](https://osquery.io/) query packs.\n\n![osqtool logo](images/logo-small.png?raw=true \"osqtool logo\")\n\n## Installation\n\nWith [Go](https://go.dev/) v1.20+ installed, run:\n\n```shell\ngo install github.com/chainguard-dev/osqtool/cmd/osqtool@latest\n```\n\n## Usage\n\nosqtool supports 4 commands:\n\n* `apply` - programatically manipulate an osquery query pack, for instance, adjusting intervals\n* `pack` - create a JSON pack file from a directory of raw SQL files\n* `unpack` - extract raw SQL files from a JSON query pack file\n* `run` - run an osquery pack file or directory of SQL queries with human and diff-friendly output\n* `verify` - verify that the queries in a query pack, directory, or raw SQL file are valid and test well\n\n### apply\n\nWant to take an osquery pack from the internet, but make changes to it programatically? osqtool has you covered:\n\n```shell\ncurl https://raw.githubusercontent.com/osquery/osquery/master/packs/it-compliance.conf \\\n  | osqtool --min-interval=8h --platforms linux,posix --exclude os_version apply -\n```\n\nThis will set all queries to an 8-hour interval, remove Windows-specific queries, and exclude a query named `os_version`.\n\n### Pack\n\nCreate an osquery pack configuration from a recursive directory of SQL files:\n\n```shell\nosqtool pack /tmp/osx-attacks\n```\n\nHere's the example output:\n\n```json\n{\n  \"queries\": {\n    \"Aobo_Keylogger\": {\n      \"query\": \"select * from launchd where name like 'com.ab.kl%.plist';\",\n      \"interval\": \"3600\",\n      \"version\": \"1.4.5\",\n      \"description\": \"(http://aobo.cc/aobo-mac-os-x-keylogger.html)\",\n      \"value\": \"Artifact used by this malware\"\n    },\n    \"Backdoor_MAC_Eleanor\": {\n      \"query\": \"SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');\",\n      \"interval\": \"3600\",\n      \"version\": \"1.4.5\",\n      \"description\": \"(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)\",\n      \"value\": \"Artifact used by this malware\"\n    },\n...\n```\n\nThe `pack` command supports the same flags as the `apply` command. In particular, you may find `--exclude`, `--exclude-tags`, and `--verify` useful.\n\n### Run\n\nRun a set of queries!\n\n```shell\nosqtool run incident-response.conf\n```\n\nExample output:\n\n```log\nblock_devices (7 rows)\n----------------------\nblock_size:512 label: model: name:/dev/nvme0n1 parent: size:488397168 type: uuid: vendor:\nblock_size: label: model: name:/dev/nvme0n1p1 parent:/dev/nvme0n1 size:614400 type: uuid: vendor:\nblock_size: label: model: name:/dev/nvme0n1p2 parent:/dev/nvme0n1 size:415929892 type: uuid: vendor:\nblock_size: label: model: name:/dev/nvme0n1p3 parent:/dev/nvme0n1 size:71843677 type: uuid: vendor:\nblock_size:512 label: model:'SD Card Reader' name:/dev/sda parent: size:0 type: uuid: vendor:CalDigit\nblock_size:512 label: model: name:/dev/dm-0 parent: size:415925796 type: uuid: vendor:\nblock_size:512 label: model: name:/dev/dm-1 parent: size:71839581 type: uuid: vendor:\n\ncrontab (1 rows)\n----------------\ncommand:'root run-parts /etc/cron.hourly' day_of_month:* day_of_week:* event: hour:* minute:01 month:* path:/etc/cron.d/0hourly\n\ndisk_encryption (0 rows)\n```\n\n### Unpack\n\nExtract an osquery pack into a directory of SQL files:\n\n```shell\nosqtool --output=/tmp/osx-attacks unpack osx-attacks.conf\n```\n\nHere is example output:\n\n```log\nWriting 745 bytes to /tmp/out/OceanLotus_dropped_file_1.sql ...\nWriting 268 bytes to /tmp/out/OSX_MaMi_DNS_Servers.sql ...\nWriting 328 bytes to /tmp/out/OSX_ColdRoot_RAT_Files.sql ...\nWriting 209 bytes to /tmp/out/iWorm.sql ...\n74 queries saved to /tmp/out\n```\n\nThe `unpack` command supports the same flags as the `apply` command.\n\n\n### Verify\n\nVerify that the queries are valid in a pack, SQL file, or directory of SQL files\n\n```shell\nosqtool verify /tmp/detect\n```\n\nExample output:\n\n```log\nVerifying \"high-disk-bytes-written\" ...\nhigh-disk-bytes-written\" returned 0 rows within 264.361831ms\nVerifying \"unexpected-shell-parents\" ...\n\"unexpected-shell-parents\" failed validation: /sbin/osqueryi --json [exit status 1]: Error: near line 1: near \"sh\": syntax error\n78 queries found: 55 verified, 10 errored, 13 skipped\n\"verify\" failed: 10 errors occurred:\n * xprotect-reports: /sbin/osqueryi --json [exit status 1]: Error: near line 1: no such table: xprotect_reports\n```\n\nYou can set limits on the number of rows returned, amount of runtime per query, per day, or across the pack, see `--help` for more information.\n\n### Common Flags\n\nHere are the options that are available to `apply`, `unpack`, `pack`, and `verify`\n\n```\n  -default-interval duration\n    \tInterval to use for queries which do not specify one (default 1h0m0s)\n  -exclude string\n    \tComma-separated list of queries to exclude\n  -exclude-tags string\n    \tComma-separated list of tags to exclude (default \"disabled\")\n  -max-interval duration\n    \tQueries can't be scheduled more often than this (default 15s)\n  -max-query-daily-duration duration\n    \tMaximum duration for a single query multiplied by how many times it runs daily (checked during --verify) (default 1h0m0s)\n  -max-query-duration duration\n    \tMaximum query duration (checked during --verify) (default 4s)\n  -max-results int\n    \tMaximum number of results a query may return during verify (default 1000)\n  -max-total-daily-duration duration\n    \tMaximum total query-duration per day across all queries (default 6h0m0s)\n  -min-interval duration\n    \tQueries cant be scheduled less often than this (default 24h0m0s)\n  -multi-line\n    \toutput queries is multi-line form. This is accepted by osquery, but technically is invalid JSON.\n  -output string\n    \tLocation of output\n  -platforms string\n    \tComma-separated list of platforms to include\n  -single-quotes\n    \tRender double quotes as single quotes (may corrupt queries)\n  -skip_headers\n    \tIf true, avoid header prefixes in the log messages\n  -tag-intervals string\n    \tmodifiers to the default-interval based on query tags (default \"transient=5m,postmortem=6h,rapid=15s,often=x/4,seldom=2x\")\n  -verify\n    \tVerify the output\n  -workers int\n      Number of workers to use when verifying results (0 for automatic)\n```\n\nAt the moment, flags must be declared before the subcommand. `¯\\_(ツ)_/¯`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fosqtool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fosqtool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fosqtool/lists"}