update windows, linux and macos query pack (#136)

so that we align the queries in the query packs windows, linux and macos Signed-off-by: Patrick Münch <[email protected]>
mondoohq · Jan 26, 2024 · 5e5504c · 5e5504c
1 parent b1e2f25
commit 5e5504c
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 12 deletions.
diff --git a/core/mondoo-linux-inventory.mql.yaml b/core/mondoo-linux-inventory.mql.yaml
@@ -4,7 +4,7 @@
 packs:
   - uid: mondoo-linux-inventory
     name: Linux Inventory Pack
-    version: 1.5.0
+    version: 1.6.0
     license: BUSL-1.1
     authors:
       - name: Mondoo, Inc
@@ -39,7 +39,7 @@ packs:
     queries:
       - uid: mondoo-linux-asset-info
         title: Asset information
-        mql: asset { kind title platform name arch runtime }
+        mql: asset { kind title platform name arch runtime version }
       - uid: mondoo-linux-hostname
         title: Hostname
         mql: os.hostname
@@ -62,14 +62,15 @@ packs:
         mql: kernel.info
       - uid: mondoo-linux-kernel-modules
         title: Kernel modules
+        filters: mondoo.capabilities.contains("run-command")
         mql: kernel.modules { name loaded }
       - uid: mondoo-linux-processes
         title: Running processes
         filters: mondoo.capabilities.contains("run-command")
         mql: processes { pid command flags }
       - uid: mondoo-linux-mounts
         title: Mounted devices
-        mql: mount.list
+        mql: mount.list { path fstype device options }
       - uid: mondoo-linux-listening-ports
         title: Listening ports
         filters: mondoo.capabilities.contains("run-command")
@@ -84,9 +85,10 @@ packs:
         mql: os.uptime
       - uid: mondoo-linux-installed-packages
         title: Installed packages
-        mql: packages
+        mql: packages { name version arch installed }
       - uid: mondoo-linux-running-services
         title: Running services
+        filters: mondoo.capabilities.contains("run-command")
         mql: services.where(running == true) { name running enabled masked type }
       - uid: mondoo-linux-interface-configuration
         title: Network interface configuration

diff --git a/core/mondoo-macos-inventory.mql.yaml b/core/mondoo-macos-inventory.mql.yaml
@@ -4,7 +4,7 @@
 packs:
   - uid: mondoo-macos-inventory
     name: macOS Inventory Pack
-    version: 1.3.0
+    version: 1.4.0
     license: BUSL-1.1
     authors:
       - name: Mondoo, Inc
@@ -67,21 +67,46 @@ packs:
       - uid: mondoo-hostname
         title: Hostname
         mql: os.hostname
+      - uid: mondoo-macos-uptime
+        title: Operating system uptime
+        filters: mondoo.capabilities.contains("run-command")
+        mql: os.uptime
+      - uid: mondoo-macos-processes
+        title: Running processes
+        filters: mondoo.capabilities.contains("run-command")
+        mql: processes { pid command flags }
+      - uid: mondoo-macos-kernel-modules
+        title: Kernel modules
+        filters: mondoo.capabilities.contains("run-command")
+        mql: kernel.modules { name loaded }
+      - uid: mondoo-macos-mounts
+        title: Mounted devices
+        mql: mount.list { path fstype device options }
       - uid: mondoo-macos-users
         title: Regular users
         mql: users.where( name != /^_/ && shell != "/usr/bin/false" && name != "root")
       - uid: mondoo-macos-packages
         title: Installed packages
-        mql: packages
+        mql: packages { name version arch installed }
       - uid: mondoo-macos-running-services
         title: Running services
+        filters: mondoo.capabilities.contains("run-command")
         mql: services.where(running == true) { name running enabled masked type }
       - uid: mondoo-macos-ports-listening
         title: Listening ports
+        filters: mondoo.capabilities.contains("run-command")
         mql: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
+      - uid: mondoo-macos-active-connections
+        title: Active network connections
+        filters: mondoo.capabilities.contains("run-command")
+        query: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
       - uid: mondoo-macos-interface-configuration
         title: Network interface configuration
+        filters: mondoo.capabilities.contains("run-command")
         mql: command("ifconfig").stdout
+      - uid: mondoo-macos-sshd-interface-configuration
+        title: sshd configuration
+        mql: sshd.config.params
       - uid: mondoo-macos-recommended-software-updates
         title: Recommended software updates
         mql: parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').params['RecommendedUpdates']

diff --git a/core/mondoo-windows-inventory.mql.yaml b/core/mondoo-windows-inventory.mql.yaml
@@ -4,7 +4,7 @@
 packs:
   - uid: mondoo-windows-asset-inventory
     name: Windows Asset Inventory Pack
-    version: 1.5.0
+    version: 1.6.0
     license: BUSL-1.1
     authors:
       - name: Mondoo, Inc
@@ -39,16 +39,24 @@ packs:
     queries:
       - uid: mondoo-windows-asset-info
         title: Asset information
-        mql: asset { kind title platform name arch runtime }
+        mql: asset { kind title platform name arch runtime version }
       - uid: mondoo-windows-hostname
         title: Hostname
         mql: os.hostname
+      - uid: mondoo-windows-uptime
+        title: Operating system uptime
+        filters: mondoo.capabilities.contains("run-command")
+        mql: os.uptime
+      - uid: mondoo-windows-processes
+        title: Running processes
+        filters: mondoo.capabilities.contains("run-command")
+        mql: processes { pid executable }
       - uid: mondoo-windows-users
         title: Regular users
         mql: users
       - uid: mondoo-windows-packages
         title: Installed packages
-        mql: packages
+        mql: packages { name version arch installed }
       - uid: mondoo-windows-hotfixes
         title: All installed Windows hotfixes
         mql: windows.hotfixes { hotfixId installedOn }
@@ -57,7 +65,8 @@ packs:
         mql: windows.features.where(installed == true) { path name displayName }
       - uid: mondoo-windows-running-services
         title: Running services
-        mql: services.where(running == true)
+        filters: mondoo.capabilities.contains("run-command")
+        mql: services.where(running == true) { name running enabled masked type }
       - uid: mondoo-windows-ports-listening
         title: Listening ports
         filters: mondoo.capabilities.contains("run-command")
@@ -76,12 +85,12 @@ packs:
         title: Installed Security Products
         filters: |
           windows.computerInfo['OsProductType'] == 1
-        mql: windows.security.products { state type name productState signatureState timestamp }
+        mql: windows.security.products { guid state type name productState signatureState timestamp }
       - uid: mondoo-windows-bitlocker-volumes
         title: Bitlocker Volumes
         filters: |
           windows.computerInfo['OsProductType'] == 1
-        mql: windows.bitlocker.volumes { driveLetter encryptionMethod protectionStatus conversionStatus }
+        mql: windows.bitlocker.volumes { deviceID driveLetter encryptionMethod version persistentVolumeID protectionStatus lockStatus conversionStatus }
       - uid: mondoo-windows-security-center-health
         title: Windows Security Health Information
         filters: |
@@ -120,3 +129,7 @@ packs:
       - uid: mondoo-windows-smbios-chassis
         title: SMBIOS Chassis information
         mql: machine.chassis { manufacturer serial version assetTag }
+      - uid: mondoo-windows-scheduled-tasks
+        title: Scheduled tasks
+        mql: |
+          parse.json(content: powershell("Get-ScheduledTask | ConvertTo-Json").stdout).params