{"id":22748190,"url":"https://github.com/githubfoam/ubuntu-githubactions","last_synced_at":"2025-07-16T23:35:21.843Z","repository":{"id":62606884,"uuid":"387456605","full_name":"githubfoam/ubuntu-githubactions","owner":"githubfoam","description":"ubuntu osquery","archived":false,"fork":false,"pushed_at":"2022-06-02T08:56:24.000Z","size":99,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-30T05:42:49.706Z","etag":null,"topics":["dfir","matrix","osquery","ubuntu"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/githubfoam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-19T12:29:01.000Z","updated_at":"2024-06-08T14:51:15.000Z","dependencies_parsed_at":"2022-11-04T01:15:15.778Z","dependency_job_id":null,"html_url":"https://github.com/githubfoam/ubuntu-githubactions","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/githubfoam/ubuntu-githubactions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fubuntu-githubactions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fubuntu-githubactions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fubuntu-githubactions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fubuntu-githubactions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/githubfoam","download_url":"https://codeload.github.com/githubfoam/ubuntu-githubactions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fubuntu-githubactions/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265550411,"owners_count":23786564,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","matrix","osquery","ubuntu"],"created_at":"2024-12-11T03:20:48.803Z","updated_at":"2025-07-16T23:35:21.825Z","avatar_url":"https://github.com/githubfoam.png","language":"Shell","readme":"# ubuntu-githubactions\n[![ubuntu 18.04  osquery CI workflow](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/1804-osquery-wf.yml/badge.svg)](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/1804-osquery-wf.yml)  \n[![ubuntu 20.04 osquery CI workflow](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/2004-osquery-wf.yml/badge.svg)](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/2004-osquery-wf.yml)  \n[![ubuntu 22.04 osquery CI workflow](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/2204-osquery-wf.yml/badge.svg)](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/2204-osquery-wf.yml)  \n[![ubuntu latest osquery CI workflow](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/latest-osquery-wf.yml/badge.svg)](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/latest-osquery-wf.yml)  \n\n[![osquery matrix CI workflow](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/osquery-matrix-wf.yml/badge.svg)](https://github.com/githubfoam/ubuntu-githubactions/actions/workflows/osquery-matrix-wf.yml)\n~~~~\n\nosquery\u003e select * from yara ;\nError: no query solution\nosquery\u003e select time, severity, message from syslog ;\nW1115 22:01:25.011281 19521 virtual_table.cpp:930] Table syslog_events is event-based but events are disabled\nW1115 22:01:25.011309 19521 virtual_table.cpp:937] Please see the table documentation: https://osquery.io/schema/#syslog_events\n~~~~\nDebian osquery\n~~~~\nosqueryd --help\nosqueryi --verbose\n\nosqueryi\nW1129 09:58:36.125007 19325 options.cpp:91] Cannot set unknown or invalid flag: log_result_events\nW1129 09:58:36.125895 19325 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor\nUsing a virtual database. Need help, type '.help'\nosquery\u003e\n\nosquery\u003e .show\n\nview mode of query results\nosquery\u003e .mode csv\nosquery\u003e .mode list\nosquery\u003e .mode column\nosquery\u003e .mode line\n\nlist all available tables\nosquery\u003e .tables\n\nquery table \"file_events\" if exists\nosquery\u003e .schema file_events\n\nosquery\u003e .schema users\nCREATE TABLE users(`uid` BIGINT, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT, `type` TEXT HIDDEN, `is_hidden` INTEGER HIDDEN, PRIMARY KEY (`uid`, `username`)) WITHOUT ROWID;\n\nosquery\u003e .schema processes\nCREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER HIDDEN, `elapsed_time` BIGINT HIDDEN, `handle_count` BIGINT HIDDEN, `percent_processor_time` BIGINT HIDDEN, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;\nosquery\u003e\n\n\nshow details about the system hardware\nosquery\u003e SELECT * FROM system_info;\nhostname,uuid,cpu_type,cpu_subtype,cpu_brand,cpu_physical_cores,cpu_logical_cores,cpu_microcode,physical_memory,hardware_vendor,hardware_model,hardware_version,hardware_serial,computer_name,local_hostname\nvg-osquery-01,26dbc95e-9186-4fdd-a315-5181c84e2673,x86_64,158,Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz,2,2,,502169600,,,,,vg-osquery-01,vg-osquery-01\n\nosquery\u003e SELECT * FROM os_version;\nname,version,major,minor,patch,build,platform,platform_like,codename\nUbuntu,19.04 (Disco Dingo),19,4,0,,ubuntu,debian,disco\n\nosquery\u003e SELECT * FROM kernel_info;\nversion,arguments,path,device\n5.0.0-17-generic,ro net.ifnames=0 biosdevname=0 quiet,/boot/vmlinuz-5.0.0-17-generic,/dev/mapper/vagrant--vg-root\n\nosquery\u003e SELECT * FROM kernel_modules LIMIT 5;\nname,size,used_by,status,address\nvboxsf,81920,-,Live,0x0000000000000000\ndm_multipath,32768,-,Live,0x0000000000000000\nscsi_dh_rdac,16384,-,Live,0x0000000000000000\nscsi_dh_emc,16384,-,Live,0x0000000000000000\nscsi_dh_alua,20480,-,Live,0x0000000000000000\n\n\n\nChecking Repository and Packages\n\nosquery\u003e SELECT * FROM apt_sources;\nname,source,base_uri,release,version,maintainer,components,architectures\nsecurity.ubuntu.com/ubuntu disco-security universe,/etc/apt/sources.list,http://security.ubuntu.com/ubuntu,disco,19.04,Ubuntu,main restricted universe multiverse,amd64 arm64 armhf i386 ppc64el s390x\nsecurity.ubuntu.com/ubuntu disco-security multiverse,/etc/apt/sources.list,http://security.ubuntu.com/ubuntu,disco,19.04,Ubuntu,main restricted universe multiverse,amd64 arm64 armhf i386 ppc64el s390x\nppa.launchpad.net/ansible/ansible/ubuntu disco main,/etc/apt/sources.list.d/ansible-ubuntu-ansible-disco.list,http://ppa.launchpad.net/ansible/ansible/ubuntu,disco,19.04,LP-PPA-ansible-ansible,main,amd64 arm64 armhf i386 ppc64el s390x\nosquery-packages.s3.amazonaws.com/xenial xenial main,/etc/apt/sources.list.d/osquery_packages_s3_amazonaws_com_xenial.list,https://osquery-packages.s3.amazonaws.com/xenial,xenial,,osquery-builder,main,amd64\n\nosquery\u003e SELECT name, base_uri, release, maintainer, components FROM apt_sources ORDER BY name;\nname,base_uri,release,maintainer,components\nosquery-packages.s3.amazonaws.com/xenial xenial main,https://osquery-packages.s3.amazonaws.com/xenial,xenial,osquery-builder,main\nppa.launchpad.net/ansible/ansible/ubuntu disco main,http://ppa.launchpad.net/ansible/ansible/ubuntu,disco,LP-PPA-ansible-ansible,main\nsecurity.ubuntu.com/ubuntu disco-security multiverse,http://security.ubuntu.com/ubuntu,disco,Ubuntu,main restricted universe multiverse\nsecurity.ubuntu.com/ubuntu disco-security universe,http://security.ubuntu.com/ubuntu,disco,Ubuntu,main restricted universe multiverse\n\nosquery\u003e SELECT * FROM deb_packages;\nosquery\u003e SELECT name, version FROM deb_packages ORDER BY name;\nosquery\u003e SELECT name, version FROM deb_packages WHERE name=\"unzip\";\nname,version\nunzip,6.0-22ubuntu1\n\nList the users\nosquery\u003e SELECT * FROM users;\n\nwho else other than you is logged into the system now\nosquery\u003e select * from logged_in_users ;\n\nprevious logins\nosquery\u003e select * from last ;\n\nIf there’s no output, then it means the IPTables firewall has not been configured.\nosquery\u003e select * from iptables ;\nosquery\u003e select chain, policy, src_ip, dst_ip from iptables ;\n\nGet The Process Name, Port, and PID for All Processes\nosquery\u003e SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid);\n\ntop 10 most active processes count, name\nosquery\u003e select count(pid) as total, name from processes group by name order by total desc limit 10;\n\ntop 10 largest processes by resident memory size\nosquery\u003e select pid, name, uid, resident_size from processes order by resident_size desc limit 10;\n\nosquery\u003e SELECT address FROM etc_hosts WHERE hostnames = 'localhost';\n+-----------+\n| address   |\n+-----------+\n| 127.0.0.1 |\n+-----------+\nosquery\u003e SELECT * FROM arp_cache;\n+----------+-------------------+-----------+-----------+\n| address  | mac               | interface | permanent |\n+----------+-------------------+-----------+-----------+\n| 10.0.2.2 | 52:54:00:12:35:02 | eth0      | 0         |\n| 10.0.2.3 | 52:54:00:12:35:03 | eth0      | 0         |\n+----------+-------------------+-----------+-----------+\n\n~~~~\nCTI, DFIR, Debian\n~~~~\nFinding new processes listening on network ports; malware listens on port to provide command and control (C\u0026C) or direct shell access,query periodically and diffing with the last ‘known good’\nosquery\u003e SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;\n\nFinding suspicious outbound network activity; any processes that do not fit within whitelisted network behavior, e.g. a process scp’ing traffic externally when it should only perform HTTP(s) connections outbound\nosquery\u003e select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port not in (80, 443) and family = 2;\n\nFinding processes that are running whose binary has been deleted from the disk;any process whose original binary has been deleted or modified;attackers leave a malicious process running but delete the original binary on disk.\nosquery\u003e SELECT name, path, pid FROM processes WHERE on_disk = 0;\n\nFinding new kernel modules which was loaded; query periodically and diffing against older results,kernel modules can be checked against a whitelist/blacklist , rootkits\nosquery\u003e select name from kernel_modules;\n\nview a list of loaded kernel modules; query periodically and compare its output against older results to see if anything’s changed\nosquery\u003e select name, used_by, status from kernel_modules where status=\"Live\";\n\nFinding malware that have been scheduled to run at specific intervals\nosquery\u003e select command, path from crontab ;\n\nFinding backdoored binaries; files on the system that are setuid-enabled, any that are not supposed to be on the system, query periodically and compare its results against older results so that you can keep an eye on any additions.\nosquery\u003e select * from suid_bin ;\n\nFinding backdoors; query that lists all the listening ports, output includes those ports that the server should be listening on\nosquery\u003e select * from listening_ports ;\n\nall recent file activity on the server\nosquery\u003e select target_path, action, uid from file_events ;\n\n\n\n~~~~\n\nCentos osquery\n~~~~\nlist of all installed RPM packages\nosquery\u003e .all rpm_packages;\n~~~~\n\n~~~~\npredefined tables\n\u003chttps://osquery.io/schema/4.1.1\u003e\n\n# https://osquery.readthedocs.io/en/stable/installation/install-linux/\n\nhttps://github.com/google/santa\nhttps://github.com/groob/moroz\nhttps://github.com/zentralopensource/zentral\n\nhttps://github.com/actions/virtual-environments\n\n~~~~\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubfoam%2Fubuntu-githubactions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithubfoam%2Fubuntu-githubactions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubfoam%2Fubuntu-githubactions/lists"}