refactor: add changelog and update profiles

Add changes to changelog and update full and ir_profile to run new artifact.
Remove osqueryi binary.

CHANGELOG.md

@@ -38,13 +38,14 @@ All notable changes to this project will be documented in this file.
 - `live_response/packages/portage.yaml`: Added collection of installed package lists using the Portage package management system [linux]. (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal))
 - `live_response/packages/slackpkg.yaml`: Added collection of installed and upgradable packages managed by the Slackpkg package manager [linux]. (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal))
 - `live_response/storage/findmnt.yaml`: Added JSON output support for listing all mounted file systems [linux]. (by [mnrkbys](https://github.com/mnrkbys))
-- `live_response/system/immutable_files.yaml`: Added functionality to list immutable files on the system [linux].
 - `live_response/storage/lsblk.yaml`: Added JSON output support for listing block devices [linux]. (by [mnrkbys](https://github.com/mnrkbys))
 - `live_response/system/coredump.yaml`: Added collection of information about core dump files [linux]. (by [mnrkbys](https://github.com/mnrkbys))
 - `live_response/system/getcap.yaml`: Added functionality to collect a list of files with associated process capabilities [linux]. (by [mnrkbys](https://github.com/mnrkbys))
+- `live_response/system/immutable_files.yaml`: Added functionality to list immutable files on the system [linux].
 - `live_response/system/journalctl.yaml`: Added collection of boot time period listings using `journalctl` [linux]. (by [mnrkbys](https://github.com/mnrkbys))
 - `live_response/system/ulimit.yaml`: Added collection of all resource limits information [all]. (by [mnrkbys](https://github.com/mnrkbys))
 - `memory_dump/coredump.yaml`: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd]. (by [mnrkbys](https://github.com/mnrkbys))
+- `osquery/osquery.yaml`: Added collection of multiple artifacts using OSQuery tool. Please note that the `osqueryi` binary is not included in the UAC package and must be manually placed in the `bin` directory [linux]. (by [SolitudePy](https://github.com/SolitudePy))
 
 ### Changed
 

artifacts/osquery/osquery.yaml

@@ -1,105 +1,106 @@
 version: 1.0
+condition: command_exists "osqueryi"
 output_directory: /osquery
 artifacts:
   -
-    description: Collect local users in json format
+    description: Collect local users in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM users;' 
+    command: osqueryi --json 'SELECT * FROM users;'
     output_file: users.json
   -
-    description: Collect rpm packages in json format
+    description: Collect rpm packages in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM rpm_packages;' 
+    command: osqueryi --json 'SELECT * FROM rpm_packages;'
     output_file: rpm_packages.json
   -
-    description: Collect processes in json format
+    description: Collect processes in json format.
     supported_os: [linux]
     collector: command
     command: osqueryi --json 'SELECT p.path, p.name, p.cmdline, p.on_disk, p.uid, u.username, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN hash AS h ON p.path = h.path LEFT JOIN users AS u ON p.uid = u.uid;' 
     output_file: processes.json
   -
-    description: Collect startup items in json format
+    description: Collect startup items in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM startup_items;' 
+    command: osqueryi --json 'SELECT * FROM startup_items;'
     output_file: startup_items.json
   -
-    description: Collect systemd units in json format
+    description: Collect systemd units in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM systemd_units;' 
+    command: osqueryi --json 'SELECT * FROM systemd_units;'
     output_file: systemd_units.json
   -
-    description: Collect crontab in json format
+    description: Collect crontab in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM crontab;' 
+    command: osqueryi --json 'SELECT * FROM crontab;'
     output_file: crontab.json
   -
-    description: Collect etc_hosts in json format
+    description: Collect etc_hosts in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM etc_hosts;' 
+    command: osqueryi --json 'SELECT * FROM etc_hosts;'
     output_file: etc_hosts.json
   -
-    description: Collect kernel modules in json format
+    description: Collect kernel modules in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM kernel_modules;' 
+    command: osqueryi --json 'SELECT * FROM kernel_modules;'
     output_file: kernel_modules.json
   -
-    description: Collect mounts in json format
+    description: Collect mounts in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM mounts;' 
+    command: osqueryi --json 'SELECT * FROM mounts;'
     output_file: mounts.json
   -
-    description: Collect suid bin in json format
+    description: Collect suid bin in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM suid_bin;' 
+    command: osqueryi --json 'SELECT * FROM suid_bin;'
     output_file: suid_bin.json
   -
-    description: Collect process memory map in json format
+    description: Collect process memory map in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM process_memory_map;' 
+    command: osqueryi --json 'SELECT * FROM process_memory_map;'
     output_file: process_memory_map.json
   -
-    description: Collect arp cache in json format
+    description: Collect arp cache in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM arp_cache;' 
+    command: osqueryi --json 'SELECT * FROM arp_cache;'
     output_file: arp_cache.json
   -
-    description: Collect yum sources in json format
+    description: Collect yum sources in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM yum_sources;' 
+    command: osqueryi --json 'SELECT * FROM yum_sources;'
     output_file: yum_sources.json
   -
-    description: Collect dns resolvers in json format
+    description: Collect dns resolvers in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT * FROM dns_resolvers;' 
+    command: osqueryi --json 'SELECT * FROM dns_resolvers;'
     output_file: dns_resolvers.json
   -
-    description: Collect process open sockets in json format
+    description: Collect process open sockets in json format.
     supported_os: [linux]
     collector: command
     command: osqueryi --json 'SELECT DISTINCT p.pid, p.name AS process_name, p.cmdline AS command_line, p.uid AS user_id, u.username AS username, s.local_address, s.local_port, s.remote_address, s.remote_port, s.path FROM process_open_sockets AS s LEFT JOIN processes AS p ON s.pid = p.pid LEFT JOIN users AS u ON p.uid = u.uid;'
     output_file: process_open_sockets.json
   -
-    description: Collect process open files in json format
+    description: Collect process open files in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT DISTINCT o.path AS file, o.pid, p.name AS process_name, p.cmdline, p.uid, u.username FROM process_open_files AS o LEFT JOIN processes AS p ON o.pid = p.pid LEFT JOIN users AS u ON p.uid = u.uid;' 
+    command: osqueryi --json 'SELECT DISTINCT o.path AS file, o.pid, p.name AS process_name, p.cmdline, p.uid, u.username FROM process_open_files AS o LEFT JOIN processes AS p ON o.pid = p.pid LEFT JOIN users AS u ON p.uid = u.uid;'
     output_file: process_open_files.json
   -
-    description: Collect authorized keys in json format
+    description: Collect authorized keys in json format.
     supported_os: [linux]
     collector: command
-    command: osqueryi --json 'SELECT a.key_file, a.key, a.algorithm, u.uid, u.username FROM authorized_keys AS a LEFT JOIN users AS u ON u.uid = a.uid;' 
-    output_file: authorized_keys.json
+    command: osqueryi --json 'SELECT a.key_file, a.key, a.algorithm, u.uid, u.username FROM authorized_keys AS a LEFT JOIN users AS u ON u.uid = a.uid;'
+    output_file: authorized_keys.json

profiles/full.yaml

@@ -26,5 +26,6 @@ artifacts:
   - live_response/vms/*
   - chkrootkit/*
   - hash_executables/hash_executables.yaml
+  - osquery/osquery.yaml
   - files/*
 

profiles/ir_triage.yaml

@@ -26,6 +26,7 @@ artifacts:
   - live_response/vms/*
   - chkrootkit/*
   - hash_executables/hash_executables.yaml
+  - osquery/osquery.yaml
   - files/applications/git.yaml
   - files/applications/lesshst.yaml
   - files/applications/viminfo.yaml