未加星标

Using osquery in Oracle Linux

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Recently the guys at facebook released an internal project as opensource code. Now you can make use of some of the internal solutions facebook is using to keep track and analyse their compute nodes in the facebook datacenter. Osquery allows you to easily ask questions about your linux, windows, and OS X infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company.

What osquery provides is a collector that on a scheduled basis will analyse your operating system and store this information in a sqlite database local on your system. In essence osquery is an easily configurable and extensible framework that will do the majority of collection tasks for you. What makes it a great product is that it is all stored in sqlite and that enables you to use standard SQL code to ask questions about your system.

After a headsup from Oracle Linux product teams about the fact that facebook released this as opensource I installed it on an Oracle Linux instance to investigate the usability of osquery.

Installing osquery

Installation is quite straightforward. A RPM is provided which installs without any issue on Oracle Linux 6. Below is an example of downloading and installing osquery on an Oracle Linux 6 instance.

[[email protected] ~]# [[email protected] ~]# wget "https://osquery-packages.s3.amazonaws.com/centos6/osquery-2.0.0.rpm" -b Continuing in background, pid 28491. Output will be written to “wget-log”. [[email protected] ~]# [[email protected] ~]# ls -rtl osq*.rpm -rw-r--r-- 1 root root 13671146 Oct 4 17:13 osquery-2.0.0.rpm [[email protected] ~]# rpm -ivh osquery-2.0.0.rpm warning: osquery-2.0.0.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b: NOKEY Preparing... ########################################### [100%] 1:osquery ########################################### [100%] [[email protected] ~]# [[email protected] ~]#

When you check you will notice that osquery will not start by default and that some manual actions are required to get it started. In essence this is due to the fact that no default configuration is provided during the installation. To enable the collector (daemon) to start it will look for the configuration file /etc/osquery/osquery.conf to be available. This is not a file that is part of the RPM installation. This will result in the below warning when you try to start the osquery daemon;

[[email protected] init.d]# [[email protected] init.d]# ./osqueryd start No config file found at /etc/osquery/osquery.conf Additionally, no flags file or config override found at /etc/osquery/osquery.flags See '/usr/share/osquery/osquery.example.conf' for an example config. [[email protected] init.d]#

Without going into the details of how to configure osquery and tune it for you specific installation you can start to test osquery by simply using the default example configuration file.

[[email protected] osquery]# [[email protected] osquery]# cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf [[email protected] osquery]# cd /etc/init.d [[email protected] init.d]# ./osqueryd start [[email protected] init.d]# ./osqueryd status osqueryd is already running: 28514 [[email protected] init.d]# [[email protected] osquery]#

As you can see, we now have the osquery deamon osqueryd running under PID 28514. As it is a collector it is good to wait for a couple of seconds to ensure the collector makes its first collection and stores this in the sqlite database. However, as soon as it has done so you should be able to get the first results stored in your database and you should be able to query the results for data.

To make life more easy, you can use the below script to install osquery in a single go:

#!/bin/sh wget "https://osquery-packages.s3.amazonaws.com/centos6/osquery-2.0.0.rpm" -O /tmp/osquery.rpm rpm -ivh /tmp/osquery.rpm rm -f /tmp/osquery.rpm cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf ./etc/init.d/osqueryd start

Using osqueryi

The main way to interact with the osquery data is using osqueryi which is located at /usr/bin/osqueryi . Which means that if you execute osqueryi you will be presented a command line interface you can use to query the data collected by the osqueryd collector.

[[email protected] /]# [[email protected] /]# osqueryi osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using a virtual database. Need help, type '.help' osquery>

As an example you can query which pci devices are present with a single SQL query as shown below:

osquery> select * from pci_devices; +--------------+-----------+------------------+--------+-----------+-------+----------+ | pci_slot | pci_class | driver | vendor | vendor_id | model | model_id | +--------------+-----------+------------------+--------+-----------+-------+----------+ | 0000:00:00.0 | | | | 8086 | | 1237 | | 0000:00:01.0 | | | | 8086 | | 7000 | | 0000:00:01.1 | | ata_piix | | 8086 | | 7010 | | 0000:00:01.3 | | | | 8086 | | 7113 | | 0000:00:02.0 | | | | 1013 | | 00B8 | | 0000:00:03.0 | | xen-platform-pci | | 5853 | | 0001 | +--------------+-----------+------------------+--------+-----------+-------+----------+ osquery>

As osqueryi uses a sqlite backend we can use the standard options and SQL provided by sqlite and for example get a full overview of all tables that are present when using the .table command in the command line interface. This provides the below output, which can be a good start to investigate what type of information is being collected by default and can be used;

acpi_tables apt_sources arp_cache authorized_keys block_devices carbon_black_info chrome_extensions cpu_time cpuid crontab deb_packages device_file device_hash device_partitions disk_encryption dns_resolvers etc_hosts etc_protocols etc_services file file_events firefox_addons groups hardware_events hash interface_addresses interface_details iptables kernel_info kernel_integrity kernel_modules known_hosts last listening_ports logged_in_users magic memory_info memory_map mounts msr opera_extensions os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule pci_devices platform_info process_envs process_events process_memory_map process_open_files process_open_sockets processes routes rpm_package_files rpm_packages shared_memory shell_history smbios_tables socket_events suid_bin syslog system_controls system_info time uptime usb_devices user_events user_groups user_ssh_keys users yara yara_events

The example shown above is a extreme simple example, everyone with at least a bit SQL experience will be able to write much more extensive and interesting queries which can make life as a Linux administrator much more easy.

Script against osquery

Even though using the command line interface is nice fo

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: LinuxSQLWindowsFacebookHead
分页:12
转载请注明
本文标题:Using osquery in Oracle Linux
本站链接:http://www.codesec.net/view/483017.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(36)