From 4a18f2faee164f9f55ef4998840203e72a5b4d22 Mon Sep 17 00:00:00 2001 From: Javier Marcos Date: Fri, 6 Nov 2020 14:19:34 +0100 Subject: [PATCH] osquery 4.5.1 --- admin/handlers/get.go | 2 +- admin/main.go | 2 +- deploy/docker/admin/Dockerfile | 2 +- deploy/docker/nodes/centos6/Dockerfile | 2 +- deploy/docker/nodes/centos7/Dockerfile | 2 +- deploy/docker/nodes/debian8/Dockerfile | 2 +- deploy/docker/nodes/debian9/Dockerfile | 2 +- deploy/docker/nodes/ubuntu16/Dockerfile | 2 +- deploy/docker/nodes/ubuntu18/Dockerfile | 2 +- .../osquery/data/{4.4.0.json => 4.5.1.json} | 551 +++++++++++++++++- deploy/provision.sh | 2 +- tls/scripts/quick-add.ps1 | 4 +- tls/scripts/quick-add.sh | 6 +- 13 files changed, 548 insertions(+), 33 deletions(-) rename deploy/osquery/data/{4.4.0.json => 4.5.1.json} (97%) diff --git a/admin/handlers/get.go b/admin/handlers/get.go index 20b15ec1..f2e57068 100644 --- a/admin/handlers/get.go +++ b/admin/handlers/get.go @@ -17,7 +17,7 @@ import ( // osquery const ( // osquery version to display tables - osqueryTablesVersion string = "4.4.0" + osqueryTablesVersion string = "4.5.1" // JSON file with osquery tables data osqueryTablesFile string = "data/" + osqueryTablesVersion + ".json" // Carved files folder diff --git a/admin/main.go b/admin/main.go index b7cc3ad6..e79babf9 100644 --- a/admin/main.go +++ b/admin/main.go @@ -84,7 +84,7 @@ const ( // osquery const ( // osquery version to display tables - osqueryTablesVersion string = "4.4.0" + osqueryTablesVersion string = "4.5.1" // JSON file with osquery tables data osqueryTablesFile string = "data/" + osqueryTablesVersion + ".json" ) diff --git a/deploy/docker/admin/Dockerfile b/deploy/docker/admin/Dockerfile index 6a19cd6d..774ccc9c 100644 --- a/deploy/docker/admin/Dockerfile +++ b/deploy/docker/admin/Dockerfile @@ -15,7 +15,7 @@ COPY admin/templates/components/page-head-online.html tmpl_admin/components/page COPY admin/templates/components/page-js-online.html tmpl_admin/components/page-js.html COPY admin/static/ static -COPY deploy/osquery/data/4.4.0.json data/ +COPY deploy/osquery/data/4.5.1.json data/ COPY deploy/osquery/osquery-cfg.json data/ RUN mkdir -p carved_files diff --git a/deploy/docker/nodes/centos6/Dockerfile b/deploy/docker/nodes/centos6/Dockerfile index f4a07782..d7b0d6fd 100644 --- a/deploy/docker/nodes/centos6/Dockerfile +++ b/deploy/docker/nodes/centos6/Dockerfile @@ -1,7 +1,7 @@ FROM centos:6 LABEL maintainer="javuto" -RUN curl -# "https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.4.0-1.linux.x86_64.rpm" -o "/tmp/osquery.rpm" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.5.1-1.linux.x86_64.rpm" -o "/tmp/osquery.rpm" RUN rpm -ivh "/tmp/osquery.rpm" COPY deploy/docker/nodes/centos6/wait.sh . diff --git a/deploy/docker/nodes/centos7/Dockerfile b/deploy/docker/nodes/centos7/Dockerfile index f89341af..4d370d9c 100644 --- a/deploy/docker/nodes/centos7/Dockerfile +++ b/deploy/docker/nodes/centos7/Dockerfile @@ -1,7 +1,7 @@ FROM centos:7 LABEL maintainer="javuto" -RUN curl -# "https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.4.0-1.linux.x86_64.rpm" -o "/tmp/osquery.rpm" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.5.1-1.linux.x86_64.rpm" -o "/tmp/osquery.rpm" RUN rpm -ivh "/tmp/osquery.rpm" COPY deploy/docker/nodes/centos7/wait.sh . diff --git a/deploy/docker/nodes/debian8/Dockerfile b/deploy/docker/nodes/debian8/Dockerfile index fe1fcc38..71be8a43 100644 --- a/deploy/docker/nodes/debian8/Dockerfile +++ b/deploy/docker/nodes/debian8/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer="javuto" RUN apt update && apt install -y curl -RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.4.0_1.linux.amd64.deb" -o "/tmp/osquery.deb" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.5.1_1.linux.amd64.deb" -o "/tmp/osquery.deb" RUN dpkg -i "/tmp/osquery.deb" COPY deploy/docker/nodes/debian8/wait.sh . diff --git a/deploy/docker/nodes/debian9/Dockerfile b/deploy/docker/nodes/debian9/Dockerfile index c4e83464..36dbdde4 100644 --- a/deploy/docker/nodes/debian9/Dockerfile +++ b/deploy/docker/nodes/debian9/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer="javuto" RUN apt update && apt install -y curl -RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.4.0_1.linux.amd64.deb" -o "/tmp/osquery.deb" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.5.1_1.linux.amd64.deb" -o "/tmp/osquery.deb" RUN dpkg -i "/tmp/osquery.deb" COPY deploy/docker/nodes/debian9/wait.sh . diff --git a/deploy/docker/nodes/ubuntu16/Dockerfile b/deploy/docker/nodes/ubuntu16/Dockerfile index 8d35851d..52b627df 100644 --- a/deploy/docker/nodes/ubuntu16/Dockerfile +++ b/deploy/docker/nodes/ubuntu16/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer="javuto" RUN apt update && apt install -y curl -RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.4.0_1.linux.amd64.deb" -o "/tmp/osquery.deb" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.5.1_1.linux.amd64.deb" -o "/tmp/osquery.deb" RUN dpkg -i "/tmp/osquery.deb" COPY deploy/docker/nodes/ubuntu16/wait.sh . diff --git a/deploy/docker/nodes/ubuntu18/Dockerfile b/deploy/docker/nodes/ubuntu18/Dockerfile index 65a232c1..0f9f7a8b 100644 --- a/deploy/docker/nodes/ubuntu18/Dockerfile +++ b/deploy/docker/nodes/ubuntu18/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer="javuto" RUN apt update && apt install -y curl -RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.4.0_1.linux.amd64.deb" -o "/tmp/osquery.deb" +RUN curl -# "https://osquery-packages.s3.amazonaws.com/deb/osquery_4.5.1_1.linux.amd64.deb" -o "/tmp/osquery.deb" RUN dpkg -i "/tmp/osquery.deb" COPY deploy/docker/nodes/ubuntu18/wait.sh . diff --git a/deploy/osquery/data/4.4.0.json b/deploy/osquery/data/4.5.1.json similarity index 97% rename from deploy/osquery/data/4.4.0.json rename to deploy/osquery/data/4.5.1.json index 45a3a3a8..618f0309 100644 --- a/deploy/osquery/data/4.4.0.json +++ b/deploy/osquery/data/4.5.1.json @@ -300,6 +300,194 @@ } ] }, + { + "name":"apparmor_events", + "description":"Track AppArmor events.", + "url":"https://github.com/osquery/osquery/blob/master/specs/linux/apparmor_events.table", + "platforms":[ + "linux" + ], + "evented":true, + "cacheable":false, + "columns":[ + { + "name":"type", + "description":"Event type", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"message", + "description":"Raw audit message", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"time", + "description":"Time of execution in UNIX time", + "type":"bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"uptime", + "description":"Time of execution in system uptime", + "type":"bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"eid", + "description":"Event ID", + "type":"text", + "hidden":true, + "required":false, + "index":false + }, + { + "name":"apparmor", + "description":"Apparmor Status like ALLOWED, DENIED etc.", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"operation", + "description":"Permission requested by the process", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"parent", + "description":"Parent process PID", + "type":"unsigned_bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"profile", + "description":"Apparmor profile name", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"name", + "description":"Process name", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"pid", + "description":"Process ID", + "type":"unsigned_bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"comm", + "description":"Command-line name of the command that was used to invoke the analyzed process", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"denied_mask", + "description":"Denied permissions for the process", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"capname", + "description":"Capability requested by the process", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"fsuid", + "description":"Filesystem user ID", + "type":"unsigned_bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"ouid", + "description":"Object owner's user ID", + "type":"unsigned_bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"capability", + "description":"Capability number", + "type":"bigint", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"requested_mask", + "description":"Requested access mask", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"info", + "description":"Additional information", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"error", + "description":"Error information", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"namespace", + "description":"AppArmor namespace", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"label", + "description":"AppArmor label", + "type":"text", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"apparmor_profiles", "description":"Track active AppArmor profiles.", @@ -1415,6 +1603,42 @@ } ] }, + { + "name":"background_activities_moderator", + "description":"Background Activities Moderator (BAM) tracks application execution.", + "url":"https://github.com/osquery/osquery/blob/master/specs/windows/background_activities_moderator.table", + "platforms":[ + "windows" + ], + "evented":false, + "cacheable":false, + "columns":[ + { + "name":"path", + "description":"Application file path.", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"last_execution_time", + "description":"Most recent time application was executed.", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"sid", + "description":"User SID.", + "type":"text", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"battery", "description":"Provides information about the internal battery of a Macbook.", @@ -2017,7 +2241,7 @@ }, { "name":"carves", - "description":"Forensic Carves.", + "description":"List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.", "url":"https://github.com/osquery/osquery/blob/master/specs/carves.table", "platforms":[ "darwin", @@ -2057,7 +2281,7 @@ "description":"The path of the requested carve", "type":"text", "hidden":false, - "required":true, + "required":false, "index":false }, { @@ -2295,8 +2519,8 @@ }, { "name":"chassis_types", - "description":"The type of chassis, such as Desktop or Laptop.", - "type":"integer", + "description":"A comma-separated list of chassis types, such as Desktop or Laptop.", + "type":"text", "hidden":false, "required":false, "index":false @@ -2334,9 +2558,9 @@ "index":false }, { - "name":"security_status", - "description":"The physical status of the chassis such as breached, not breached, etc.", - "type":"integer", + "name":"security_breach", + "description":"The physical status of the chassis such as Breach Successful, Breach Attempted, etc.", + "type":"text", "hidden":false, "required":false, "index":false @@ -3475,7 +3699,7 @@ "index":false }, { - "name":"certificate_version", + "name":"version", "description":"Version Number", "type":"integer", "hidden":false, @@ -3531,7 +3755,7 @@ "index":false }, { - "name":"certificate_policies", + "name":"policies", "description":"Certificate Policies", "type":"text", "hidden":false, @@ -3579,7 +3803,7 @@ "index":false }, { - "name":"certificate_has_expired", + "name":"has_expired", "description":"1 if the certificate has expired, 0 otherwise", "type":"integer", "hidden":false, @@ -3619,7 +3843,15 @@ "index":false }, { - "name":"certificate_pem", + "name":"timeout", + "description":"Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)", + "type":"integer", + "hidden":true, + "required":false, + "index":false + }, + { + "name":"pem", "description":"Certificate PEM format", "type":"text", "hidden":false, @@ -4396,6 +4628,42 @@ } ] }, + { + "name":"dns_cache", + "description":"Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.", + "url":"https://github.com/osquery/osquery/blob/master/specs/windows/dns_cache.table", + "platforms":[ + "windows" + ], + "evented":false, + "cacheable":false, + "columns":[ + { + "name":"name", + "description":"DNS record name", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"type", + "description":"DNS record type", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"flags", + "description":"DNS record flags", + "type":"integer", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"dns_resolvers", "description":"Resolvers used by this host.", @@ -7255,6 +7523,14 @@ "required":false, "index":false }, + { + "name":"file_version", + "description":"File version", + "type":"text", + "hidden":true, + "required":false, + "index":false + }, { "name":"product_version", "description":"File product version", @@ -11688,7 +11964,7 @@ }, { "name":"check_array_progress", - "description":"Progress of the resync activity", + "description":"Progress of the check array activity", "type":"text", "hidden":false, "required":false, @@ -11696,7 +11972,7 @@ }, { "name":"check_array_finish", - "description":"Estimated duration of resync activity", + "description":"Estimated duration of the check array activity", "type":"text", "hidden":false, "required":false, @@ -11704,7 +11980,7 @@ }, { "name":"check_array_speed", - "description":"Speed of resync activity", + "description":"Speed of the check array activity", "type":"text", "hidden":false, "required":false, @@ -13063,6 +13339,61 @@ } ] }, + { + "name":"office_mru", + "description":"View recently opened Office documents.", + "url":"https://github.com/osquery/osquery/blob/master/specs/office_mru.table", + "platforms":[ + "darwin", + "linux", + "windows", + "freebsd" + ], + "evented":false, + "cacheable":false, + "columns":[ + { + "name":"application", + "description":"Associated Office application", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"version", + "description":"Office application version number", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"path", + "description":"File path", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"last_opened_time", + "description":"Most recent opened time file was opened", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"sid", + "description":"User SID", + "type":"text", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"opera_extensions", "description":"Opera browser extensions.", @@ -13252,7 +13583,7 @@ { "name":"install_date", "description":"The install date of the OS.", - "type":"text", + "type":"bigint", "hidden":true, "required":false, "index":false @@ -16017,7 +16348,7 @@ }, { "name":"cpu_type", - "description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.", + "description":"Indicates the specific processor designed for installation.", "type":"integer", "hidden":false, "required":false, @@ -16025,7 +16356,7 @@ }, { "name":"cpu_subtype", - "description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.", + "description":"Indicates the specific processor on which an entry may be used.", "type":"integer", "hidden":false, "required":false, @@ -17633,6 +17964,50 @@ } ] }, + { + "name":"shimcache", + "description":"Application Compatibility Cache, contains artifacts of execution.", + "url":"https://github.com/osquery/osquery/blob/master/specs/windows/shimcache.table", + "platforms":[ + "windows" + ], + "evented":false, + "cacheable":false, + "columns":[ + { + "name":"entry", + "description":"Execution order.", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"path", + "description":"This is the path to the executed file.", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"modified_time", + "description":"File Modified time.", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"execution_flag", + "description":"Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).", + "type":"integer", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"signature", "description":"File (executable, bundle, installer, disk) code signing status.", @@ -19557,7 +19932,7 @@ { "name":"driver_date", "description":"The date listed on the installed driver.", - "type":"text", + "type":"bigint", "hidden":false, "required":false, "index":false @@ -20324,6 +20699,130 @@ } ] }, + { + "name":"windows_eventlog", + "description":"Table for querying all recorded Windows event logs.", + "url":"https://github.com/osquery/osquery/blob/master/specs/windows/windows_eventlog.table", + "platforms":[ + "windows" + ], + "evented":false, + "cacheable":false, + "columns":[ + { + "name":"channel", + "description":"Source or channel of the event", + "type":"text", + "hidden":false, + "required":true, + "index":false + }, + { + "name":"datetime", + "description":"System time at which the event occurred", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"task", + "description":"Task value associated with the event", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"level", + "description":"Severity level associated with the event", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"provider_name", + "description":"Provider name of the event", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"provider_guid", + "description":"Provider guid of the event", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"eventid", + "description":"Event ID of the event", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"keywords", + "description":"A bitmask of the keywords defined in the event", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"data", + "description":"Data associated with the event", + "type":"text", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"pid", + "description":"Process ID which emitted the event record", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"tid", + "description":"Thread ID which emitted the event record", + "type":"integer", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"time_range", + "description":"System time to selectively filter the events", + "type":"text", + "hidden":true, + "required":false, + "index":false + }, + { + "name":"timestamp", + "description":"Timestamp to selectively filter the events", + "type":"text", + "hidden":true, + "required":false, + "index":false + }, + { + "name":"xpath", + "description":"The custom query to filter events", + "type":"text", + "hidden":true, + "required":true, + "index":false + } + ] + }, { "name":"windows_events", "description":"Windows Event logs.", @@ -21031,6 +21530,14 @@ "required":false, "index":false }, + { + "name":"sigrule", + "description":"Signature strings used", + "type":"text", + "hidden":true, + "required":false, + "index":false + }, { "name":"strings", "description":"Matching strings", @@ -21046,6 +21553,14 @@ "hidden":false, "required":false, "index":false + }, + { + "name":"sigurl", + "description":"Signature url", + "type":"text", + "hidden":true, + "required":false, + "index":false } ] }, diff --git a/deploy/provision.sh b/deploy/provision.sh index 5f873a62..5048c551 100755 --- a/deploy/provision.sh +++ b/deploy/provision.sh @@ -675,7 +675,7 @@ else sudo chown osctrl.osctrl "$DEST_PATH/carved_files" # Copy osquery tables JSON file - sudo cp "$SOURCE_PATH/deploy/osquery/data/4.4.0.json" "$DEST_PATH/data" + sudo cp "$SOURCE_PATH/deploy/osquery/data/4.5.1.json" "$DEST_PATH/data" # Copy empty configuration sudo cp "$SOURCE_PATH/deploy/osquery/osquery-empty.json" "$DEST_PATH/data" diff --git a/tls/scripts/quick-add.ps1 b/tls/scripts/quick-add.ps1 index 2174a4ee..699b6cc1 100644 --- a/tls/scripts/quick-add.ps1 +++ b/tls/scripts/quick-add.ps1 @@ -24,8 +24,8 @@ $osqueryDaemon = (Join-Path $daemonFolder "osqueryd.exe") $secretFile = (Join-Path $osqueryPath "{{ .Project }}.secret") $flagsFile = (Join-Path $osqueryPath "osquery.flags") $certFile = (Join-Path $osqueryPath "{{ .Project }}.crt") -$osqueryMSI = "https://osquery-packages.s3.amazonaws.com/windows/osquery-4.4.0.msi" -$osqueryTempMSI = "C:\Windows\Temp\osquery-4.4.0.msi" +$osqueryMSI = "https://osquery-packages.s3.amazonaws.com/windows/osquery-4.5.1.msi" +$osqueryTempMSI = "C:\Windows\Temp\osquery-4.5.1.msi" #$osqueryMSISize = 9953280 $serviceName = "osqueryd" $serviceDescription = "osquery daemon service" diff --git a/tls/scripts/quick-add.sh b/tls/scripts/quick-add.sh index 2692e8ae..94d75fa0 100644 --- a/tls/scripts/quick-add.sh +++ b/tls/scripts/quick-add.sh @@ -21,9 +21,9 @@ _SECRET_FREEBSD=/usr/local/etc/${_PROJECT}.secret _FLAGS_FREEBSD=/usr/local/etc/osquery.flags _CERT_FREEBSD=/usr/local/etc/certs/${_PROJECT}.crt -_OSQUERY_PKG="https://osquery-packages.s3.amazonaws.com/darwin/osquery-4.4.0.pkg" -_OSQUERY_DEB="https://osquery-packages.s3.amazonaws.com/deb/osquery_4.4.0_1.linux.amd64.deb" -_OSQUERY_RPM="https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.4.0-1.linux.x86_64.rpm" +_OSQUERY_PKG="https://osquery-packages.s3.amazonaws.com/darwin/osquery-4.5.1.pkg" +_OSQUERY_DEB="https://osquery-packages.s3.amazonaws.com/deb/osquery_4.5.1_1.linux.amd64.deb" +_OSQUERY_RPM="https://osquery-packages.s3.amazonaws.com/rpm/osquery-4.5.1-1.linux.x86_64.rpm" _OSQUERY_SERVICE_LINUX="osqueryd" _OSQUERY_SERVICE_OSX="com.facebook.osqueryd"