Osquery is an OpenSource agent that provides a unique and refreshing approach to security by providing all the OS-related information that we need. The information includes things like active user accounts, running processes, kernel modules loaded, and active network connections. It can be used for multiple use cases like operational issues and to troubleshoot system performances. Osquery is an all-time favorite tool when you are hardening your systems or finding malicious activities on your system. It is available for most cross-platform Operating systems like Linux, Windows, OS X, and FreeBSD.
Following this article, we are going to make you learn about the installation steps on a LinuxMint OS while the same steps can be performed on Ubuntu systems as well.
Prerequisites:
The basic requirement in this article to install and use Osquery is to have your system up and running with LinuxMint or Ubuntu OS. Make sure that you have the sudo privileges to perform the installation of packages required for this setup..
Step 1: System Update
Let’s start by updating your system with the latest updates and security patches, which can be done by using the command below.
1 |
$ sudo apt-get update -y |
Once the system is updated, give it a reboot to make sure that all the dependencies are fully patched and intact to move forward.
Step 2: Downloading and Installing Osquery
Osquery packages are available for most cross-platform operating systems. You can download the required package depending on which OS you are using from its official web link https://osquery.io/downloads/
We are going to install it by using its Apt repository, as osquery is published to an apt repository whereas DEBs have extremely few dependencies and should work on most operating systems.
Let’s run the commands below to get it to install on your system without any hassle.
1 |
$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B |
Next run the below command to add its ‘apt-key’.
1 |
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY |
1 |
$ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' |
After adding the repository update your system again and start its installation by the use of commands as below.
1 |
$ sudo apt-get update -y |
1 |
$ sudo apt-get install osquery |
Step 3: Osquery components and Usage
As we have successfully installed osquery, now we have access to its three useful components, which are osqueryi, osqueryd and osqueryctl. Osqueryi is an interactive query shell that is completely standalone and does not communicate with a daemon. It does not need to run as an administrator. It uses the shell to prototype queries and to explore the current state of your operating system.
Run the command below to find all command-line options and flags available to the interactive shell.
1 |
$ osqueryi --help |
You will see a long list of its command-line flags as shown in the image.
The second component is Osqueryd, to get the list of its command-line arguments, run the command as below.
1 |
$ osqueryd --help |
osqueryd is the host monitoring daemon that records OS state changes and allows you to schedule queries. The daemon aggregates query results over time and generates logs, which indicate state change according to each query.
The third component of osquery is osqueryctl which is used instead by the operating system’s service manager to start/stop/restart osqueryd. It is a helper script which is used for testing deployment or to configure osquery.
Run the commands below to start and check its status.
1 |
$ sudo osqueryctl start osqueryd |
1 |
$ sudo osqueryctl status osqueryd |
Let’s run some of its basic commands to get the query results in its command-line interactive shell.
1 |
$ osquery! |
1 |
$ SELECT * FROM users; |
1 |
$ SELECT * FROM LISTENING_PORTS |
1 |
osquery> SELECT * FROM memory_info; |
1 |
osquery> SELECT memory_total FROM memory_info; |
1 |
osquery> SELECT hostname, cpu_brand, cpu_physical_cores, cpu_logical_cores, physical_memory FROM system_info; |
Step 4: Configuring Osquery
Osquery uses SQL formation within the operating systems to monitor and analyze the frameworks where you can run commands in SQL formats like the select command.
There’s a sample configuration file that you may copy over to /etc/osquery and modify as by default osquery doesn’t come with a configuration file.
1 |
$ sudo vim /etc/osquery/osquery.conf |
The configuration file uses the JSON format and you can write as many queries you want.
Let’s follow the Palantir’s working model which is the most suitable option to make it run. It has a solid Linux Server configuration that includes both osquery.flags and osquery.conf file. The reference link is given below.
https://github.com/palantir/osquery-configuration/tree/master/Classic/Servers/Linux
Place these files in ‘/etc/osquery/’ and restart osqueryd and you will start getting logs and a number of other useful monitoring queries.
Conclusion:
In this detailed article, we learned the installation and configuration of osquery . Osquery is one of the best utilities developed by Facebook to monitor and analyze the security and activities of your system. There are several forms of eventing in osquery along with file modifications and accesses. These range from disk mounts, network reconfigurations, hardware attach and detaching, and process starting. Hopefully, you enjoyed this article and are interested to learn more about osquery.