go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/examples/complex.mql.yaml

go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/examples/complex.mql.yaml (about)

     1  # Copyright (c) Mondoo, Inc.
     2  # SPDX-License-Identifier: BUSL-1.1
     3  
     4  # Note: this is a very complex query pack, that is designed to
     5  # show off some of the more advanced features. It is meant as a demo only.
     6  packs:
     7  - uid: mixed-os
     8    filters:
     9    - asset.family.contains("unix")
    10  
    11    # Queries can be grouped together, which gives us additional filters on each group.
    12    # For example: the first group is for macOS only, the second for is for Linux
    13    groups:
    14      - filters: asset.platform == "macos"
    15        queries:
    16          # This is a fully embedded query with a title and description
    17          - uid: packages-ssl
    18            title: Find all SSL packages
    19            desc: This is a filtered query of packages, which only focuses on SSL.
    20            mql: |
    21              packages.
    22                where(name == /ssl/i)
    23            # note: that little 'i' after the regex indicates that it is case-insensitive
    24  
    25      # This is the second group of queries
    26      - filters: asset.family.contains("linux")
    27        queries:
    28          # This query is shared, i.e. it is found in the `queries` field below.
    29          # These are helpful when multiple querypacks share similar queries.
    30          # They are identified via their `uid` field.
    31          - uid: shared-services
    32            # We also demonstrate how overrides work. In this example, we are
    33            # changing the title of the query
    34            title: Collect all system services
    35  
    36          # Another shared query, look below...
    37          - uid: uname
    38  
    39          # This query demonstrates how properties work. They are small configurable
    40          # variables that are used in queries to give some configurability to users.
    41          # It also shows how filters can be embedded.
    42          - uid: home-info
    43            title: Collect data about the home folder
    44            filters:
    45            - mql: asset.family.contains("linux")
    46            props:
    47              - uid: home
    48                # when dealing with strings in yaml, make sure to write it like this,
    49                # so that we don't loose the double quotes `"` from parsing the yaml
    50                mql: |
    51                  "/home"
    52            # This MQL uses the property defined above. You can override it via
    53            # e.g. --props "home='/home/user'"
    54            mql: |
    55              file( props.home ) { basename user group }
    56  
    57  # These are shared queries that can be used in any querypack
    58  queries:
    59    - uid: shared-services
    60      title: Collect all services that are running
    61      mql: services { * }
    62  
    63    # This is a composed query which has two variants: one for unix type systems
    64    # and one for windows, where we don't run the additional argument.
    65    # If you run the `uname` query, it will pick matching sub-queries for you.
    66    - uid: uname
    67      title: Collect uname info
    68      variants:
    69        - uid: unix-uname
    70        - uid: windows-uname
    71    - uid: unix-uname
    72      mql: command("uname -a").stdout
    73      filters: asset.family.contains("unix")
    74    - uid: windows-uname
    75      mql: command("uname").stdout
    76      filters: asset.family.contains("windows")