Mondoo Docs
MQL ResourcesOperating System

Windows audit policies

auditpol MQL resource for querying Operating System infrastructure with cnquery and cnspec.

auditd (Linux Audit Daemon) rule for a syscall

eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset => ( action: "always", list: "exit", syscalls: [], field_entries: [ key="arch" op="=" value="b32" key="auid" op=">=" value="1000" key="auid" op="!=" value="unset" ], keyname: nil, )

Windows audit policy

auditpol.entry MQL resource for querying Operating System infrastructure with cnquery and cnspec.