+5 votes
394 views
How to monitor Linux security with OSQuery

in Linux / Unix by (552k points)
reopened | 394 views

1 Answer

+3 votes
Best answer

1. Install OSQuery on Linux
2. Use OSQuery to analyze Linux

Security should always be one of the main reasons why we seek comprehensive internal and external solutions at the level of hardware , services, processes and the users themselves. Undoubtedly, in Linux environments we can take advantage of the various solutions that are developed to improve the security of our systems and it is for this reason that TechnoWikis will explain a special called OSQuery and we will be able to understand how thanks to it a more level of security is added to our system and as administrators or IT group we will be somewhat more confident, but without ever giving up on traditional security advice..

What is OSQuery?
OSQuery was developed as an instrumentation framework for the operating system and is available for both Windows, OS X (macOS), Linux and FreeBSD. OSQuery has practical, but complete tools that are responsible for carrying out various analyzes of the low-level operating system and monitoring both performance and each process in an integral way.

OSQuery makes use of a simple plugin and an extension API in order to implement SQL tables, but there is already a collection of tables ready for use, some of these tables are only available for a special system, for example, in In the case of Linux we will only see the kernel_modules table.

To understand the operation of OSQuery, this tool exposes the operating system as a high-performance relational database so that, thanks to this exposure, it is possible to write SQL queries to explore operating system data in a much deeper way. When using OSQuery, SQL tables are represented as abstract concepts similar to running processes, loaded kernel modules, open network connections, hardware events, file hashes or more..

OSQuery features

Within the different features of OSQuery we find:
  • It has a high performance distributed, but low footprint, distributed host monitoring daemon, called osqueryd, thanks to which it will be possible to schedule queries to run across the entire infrastructure mounted in the organization.
  • The log generated by osqueryd can be integrated into the internal logs thanks to an add-on architecture to always have better security options available.
  • It has an interactive query console, called osqueryi, which is a SQL interface developed to test new queries and explore the operating system in depth, this console has all the benefits of the full SQL language and has hundreds of integrated tables which will be vital to incident response, problem diagnostics at the level of system operations and more.
  • OSQuery is a cross platform, regardless of whether this application makes use of the low level operating system APIs, we are able to build and use OSQuery on Windows, macOS, Ubuntu, CentOS systems and other Linux distributions at enterprise level .
  • OSQuery has native packages for all compatible operating systems, there are also tools and enough documentation on the creation of packages with which we have resources for their administration.
  • The OSQuery base code is composed of high-performance modular components using public APIs to expand its benefits.

Now let's see how to install OSQuery on Linux.


1. Install OSQuery on Linux

Step 1

OSQuery can be installed from the official repository using the package management tools apt, yum or dnf according to the distribution used as follows:
In Debian or Ubuntu environments
 export OSQUERY_KEY = 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $ OSQUERY_KEY sudo add-apt-repository 'deb [arch = amd64] https://pkg.osquery.io/deb deb main' sudo apt update sudo apt install osquery 
In Fedora environments
 curl -L https://pkg.osquery.io/rpm/GPG | sudo tee / etc / pki / rpm-gpg / RPM-GPG-KEY-osquery dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo sudo dnf config-manager --set-enabled osquery-s3-rpm sudo dnf install osquery 
In CentOS 7 environments
For CentOS 7 environments, which we will use in this tutorial, we will execute each of the following lines:
 curl -L https://pkg.osquery.io/rpm/GPG | sudo tee / etc / pki / rpm-gpg / RPM-GPG-KEY-osquery sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo sudo yum-config-manager --enable osquery-s3-rpm sudo yum install osquery 
Step 2

But for CentOS 7 we have the possibility of installing the "auto-repo-add" RPM or adding the repository destination. These RPMs work on any Linux x86-64 with a base installation as of 2011 and we first run the following:
 sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm 

image

Step 3

Then we run the OSQuery installation as well.
 sudo yum install osquery 

image

Step 4

Enter the letter and to confirm the download and installation of OSQuery in CentOS 7. At some point in the installation we must authorize the installation of the GPG key:

image

Step 5

Enter the letter s to confirm this and we will see that OSQuery is installed correctly in CentOS 7.

image


2. Use OSQuery to analyze Linux

Step 1

Once OSQuery is installed correctly in CentOS 7, we will start the osqueryi shell to start the queries of the operating system status, for this we execute:
 osqueryi 

image

Step 2

To obtain a summary information of our Linux operating system, we will execute the following command:
 SELECT * FROM system_info; 
Step 3

In the results we will see details such as:
  • Hostname
  • IP adress
  • Type of CPU used
  • UUID and more

image

Step 4

If we want to obtain a list of all users in the Linux system, we will run the following OSQuery query:
 SELECT * FROM users; 

image

Step 5

To get a list of all the Linux kernel modules and their respective status, we will execute the following.
 SELECT * FROM kernel_modules; 

image

Step 6

If it is necessary to access the list of all RPM packages installed in CentOS, RHEL and Fedora, we will execute the following query:
 .all rpm_packages; 

image

Step 7

To access information on how to run processes on Linux, the following query will be useful:
 SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0'; 
Step 8

To list all the implemented tables we execute:
 .tables 

image

Step 9

To list the scheme (columns, types) of a specific table we execute one of the following lines:
 .schema table_name pragma table_info (table_name); 

image

Step 10

To deploy the general help we will execute the following:
 .help 

image

Step 11

To exit OSQuery we run:
 .exit 
With OSQuery it will be possible to access detailed information on many system parameters in order to improve administration tasks and always have great functionality features.

by (3.5m points)
edited

Related questions

+3 votes
1 answer
asked Nov 14, 2019 in Linux / Unix by backtothefuture (552k points) | 257 views
+3 votes
1 answer
asked Oct 22, 2019 in Linux / Unix by backtothefuture (552k points) | 248 views
+3 votes
1 answer
+4 votes
1 answer
asked Nov 1, 2019 in Linux / Unix by backtothefuture (552k points) | 323 views
+4 votes
1 answer
asked Sep 29, 2019 in Linux / Unix by backtothefuture (552k points) | 293 views
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users