![]() This query lists previous logins so you can find logins from unknown IP addresses, especially if multiple users are logging in from an unfamiliar host.Īlso, you can check the repositories available in your distribution. To keep an eye on the logged in users, use: SELECT * FROM logged_in_users Finally, SELECT name, path, pid FROM processes WHERE on_disk = 0 ĭisplays processes with no associated binary – usually a red flag that means you should immediately terminate the suspicious process. Will display the process count and name of the top 10 most active processes. Similarly, using SELECT count(pid) as total, name FROM processes group by name ORDER BY total desc limit 10 To display the 10 largest processes arranged by size. tablesįigure 3: With osquery, you can create some complex queries with arguments, such as JOIN and WHERE.įor more meaningful output, use SELECT pid, name, uid, resident_size FROM processes ORDER BY resident_size desc limit 10 To get a list of all available tables in osquery, run the command: osquery>. It is these tables that you query to get information about the state of your system. ![]() Osquery collects and aggregates a system's log and status information in a number of predefined tables. Before pressing ahead, you should familiarize yourself with some basics. To get into the osquery interactive console mode ( Figure 1). To get started, fire up a terminal and run sudo osqueryi Most of the flags and options needed to run both are the same, and you can launch osqueryi using the osqueryd configuration file, which is useful for customizing the interactive environment without using lots of command-line switches. They are separate but related tools that come together in one package. It's important to note that osqueryi doesn't talk to osqueryd in any way, which is to say that osqueryi isn't a client to osqueryd. You can also use it to start, stop, and restart the daemon. Installing osquery gives you access to three components: osqueryi, which is an interactive osquery shell and is useful as a test bed for performing ad hoc queries osqueryd, which is a daemon that runs scheduled queries in the background and osqueryctl, a helper script that will assist you by testing osquery's configuration. Once the repository has been enabled, you can simply grab the tool with yum: $ sudo yum install osquery $ sudo yum-config-manager -enable osquery-s3-rpm ![]() Now add and enable the repository with: $ sudo yum-config-manager -add-repo Now grab the GPG key for the tool's repository with: $ curl -L | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery If this is a pristine CentOS 7 installation, you'll have to update curl and a number of other packages with: $ sudo yum update curl nss nss-util nss-sysinit nss-tools In this tutorial, I'll install osquery on top of a CentOS 7 installation. You can also install it by adding its repository for your respective distribution. The tool is available as a source tarball along with pre-packed binaries for RPM- and DEB-based distributions. Loaded QuestionĪlthough osquery won't be available in your distribution's official repositories, installing it isn't much of an issue. The tool uses a high level of the SQLite dialect, which isn't too difficult to grasp, even for those unfamiliar with SQL. With these queries, you can check on running processes, loaded kernel modules, and active user accounts, and you can even monitor file integrity, check the status and configuration of the firewall, perform security audits of the target server, and lots more. In other words, osquery turns a Linux installation into one giant database, with tables that you can query using SQL-like statements. The osquery tool works across Linux, Windows, and macOS and exposes operating system configuration data in the form of relational database tables. Osquery is a cross-platform open source tool originally created by Facebook that, as its name suggests, is designed to query various details about the state of your machines. If you crave a unified interface for querying the different aspects of the operating system, you need osquery. The number of tools at your disposal quickly multiplies if you manage a network with various operating systems, and, while having access to several utilities sounds like a good thing, juggling them and their respective syntax is quite bothersome. Some tools, like top and ps, give a nice overview, whereas others, like ip, interface directly with the kernel. A Linux installation has many tools to query different aspects of the system.
0 Comments
Leave a Reply. |