Security should always be one of the main reasons why we seek comprehensive internal and external solutions at the level of hardware , services, processes and the users themselves. Undoubtedly, in Linux environments we can take advantage of the various solutions that are developed to improve the security of our systems and it is for this reason that TechnoWikis will explain a special called OSQuery and we will be able to understand how thanks to it a more level of security is added to our system and as administrators or IT group we will be somewhat more confident, but without ever giving up on traditional security advice..
What is OSQuery?
OSQuery was developed as an instrumentation framework for the operating system and is available for both Windows, OS X (macOS), Linux and FreeBSD. OSQuery has practical, but complete tools that are responsible for carrying out various analyzes of the low-level operating system and monitoring both performance and each process in an integral way.
OSQuery makes use of a simple plugin and an extension API in order to implement SQL tables, but there is already a collection of tables ready for use, some of these tables are only available for a special system, for example, in In the case of Linux we will only see the kernel_modules table.
To understand the operation of OSQuery, this tool exposes the operating system as a high-performance relational database so that, thanks to this exposure, it is possible to write SQL queries to explore operating system data in a much deeper way. When using OSQuery, SQL tables are represented as abstract concepts similar to running processes, loaded kernel modules, open network connections, hardware events, file hashes or more..
OSQuery features
Within the different features of OSQuery we find:
- It has a high performance distributed, but low footprint, distributed host monitoring daemon, called osqueryd, thanks to which it will be possible to schedule queries to run across the entire infrastructure mounted in the organization.
- The log generated by osqueryd can be integrated into the internal logs thanks to an add-on architecture to always have better security options available.
- It has an interactive query console, called osqueryi, which is a SQL interface developed to test new queries and explore the operating system in depth, this console has all the benefits of the full SQL language and has hundreds of integrated tables which will be vital to incident response, problem diagnostics at the level of system operations and more.
- OSQuery is a cross platform, regardless of whether this application makes use of the low level operating system APIs, we are able to build and use OSQuery on Windows, macOS, Ubuntu, CentOS systems and other Linux distributions at enterprise level .
- OSQuery has native packages for all compatible operating systems, there are also tools and enough documentation on the creation of packages with which we have resources for their administration.
- The OSQuery base code is composed of high-performance modular components using public APIs to expand its benefits.
Now let's see how to install OSQuery on Linux.
1. Install OSQuery on Linux
Step 1
OSQuery can be installed from the official repository using the package management tools apt, yum or dnf according to the distribution used as follows:
In Debian or Ubuntu environments
export OSQUERY_KEY = 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $ OSQUERY_KEY sudo add-apt-repository 'deb [arch = amd64] https://pkg.osquery.io/deb deb main' sudo apt update sudo apt install osquery
Step 2
But for CentOS 7 we have the possibility of installing the "auto-repo-add" RPM or adding the repository destination. These RPMs work on any Linux x86-64 with a base installation as of 2011 and we first run the following:
sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
Step 3
Then we run the OSQuery installation as well.
sudo yum install osquery
Step 4
Enter the letter and to confirm the download and installation of OSQuery in CentOS 7. At some point in the installation we must authorize the installation of the GPG key:
Step 5
Enter the letter s to confirm this and we will see that OSQuery is installed correctly in CentOS 7.
2. Use OSQuery to analyze Linux
Step 1
Once OSQuery is installed correctly in CentOS 7, we will start the osqueryi shell to start the queries of the operating system status, for this we execute:
osqueryi
Step 2
To obtain a summary information of our Linux operating system, we will execute the following command:
SELECT * FROM system_info;
Step 3
In the results we will see details such as:
Step 4
If we want to obtain a list of all users in the Linux system, we will run the following OSQuery query:
SELECT * FROM users;
Step 5
To get a list of all the Linux kernel modules and their respective status, we will execute the following.
SELECT * FROM kernel_modules;
Step 6
If it is necessary to access the list of all RPM packages installed in CentOS, RHEL and Fedora, we will execute the following query:
.all rpm_packages;
Step 7
To access information on how to run processes on Linux, the following query will be useful:
SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';
Step 8
To list all the implemented tables we execute:
.tables
Step 9
To list the scheme (columns, types) of a specific table we execute one of the following lines:
.schema table_name pragma table_info (table_name);
Step 10
To deploy the general help we will execute the following:
.help
Step 11
To exit OSQuery we run:
.exit
With OSQuery it will be possible to access detailed information on many system parameters in order to improve administration tasks and always have great functionality features.
