OSQuery - Monitoring System Process
•
0 likes•197 views
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
Report
Share
OSQuery - Monitoring System Process
- 1. AN INTRODUCTION TO OSQUERYAN INTRODUCTION TO OSQUERY
- 2. WHO AM I ?WHO AM I ? Intern @ Practical DevSecOps Undergrad @ Vit Chennai Have interest over Mobile,Web,Cloud Security Currently Looking for Internship
- 3. TODAYS AGENDATODAYS AGENDA What is Osquery Why Osquery Basic Queries Configuring Osquery What next?
- 4. PRE-REQUISTEPRE-REQUISTE Basic System Knowledge Basic SQL language
- 5. OS QUERYOS QUERY Tool to ask question about your System Developed by Facebook Opensource Based on SQL
- 6. COMPONENETS OF OS QUERYCOMPONENETS OF OS QUERY Osqueryi Osqueryd Osqueryctl
- 7. WHY OS QUERY ?WHY OS QUERY ? Easy to use Supports almost all platform Easy to get information about different System
- 8. BASIC QUERIESBASIC QUERIES Runs in User-context mode .show - shows basic configuration .help - shows help name .table - shows list of table .schema <table> - show the column
- 10. SELECT * FROM uptime; SELECT * FROM os_version; SELECT * FROM system_info;
- 11. JOINJOIN Used to join the table select count(*) from users; select * from users limit 1; select uid , username from users; select uid , username from users where username like 's%'; select uid , username from users where username like '%s'; select pid, name from processes limit 5; select p.pid , p.name, u.username from processes p join users
- 13. BASIC OS-QUERY CONFIGURATIONBASIC OS-QUERY CONFIGURATION Should be stored in the /etc/osquery/osquery.conf { "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "disable_logging": "false", "log_result_events": "true", "schedule_splay_percent": "10", "pidfile": "/var/osquery/osquery.pidfile", "events_expiry": "3600", "database_path": "/var/osquery/osquery.db", "verbose": "false", "worker_threads": "2", "enable_monitor": "true", "disable_events": "false",
- 14. DECARATORDECARATOR These are additional value need to be added in logs There are 3 types load always interval
- 15. PACKSPACKS Packs are the way to group the query for Specific Task Default one can be found in /usr/share/osquery/packs/ It has the following information Intervals Which platform to perform Which action to use
- 16. BASIC USE CASE (FILE-BASIC USE CASE (FILE- INTEGRATION MONITORING)INTEGRATION MONITORING) sudo nano etcosqueryosquery.conf { "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "disable_logging": "false", "schedule_splay_percent": "10", "pidfile": "/var/osquery/osquery.pidfile", "events_expiry": "3600", "database_path": "/var/osquery/osquery.db", "verbose": "false", "worker_threads": "2", "disable_events": "false", "disable_audit": "false", "audit_allow_config": "true",
- 17. CREATING PACKCREATING PACK sudo nano /usr/share/osquery/packs/fim.conf { "queries": { "file_events": { "query": "SELECT * FROM file_events;", "removed": false, "interval": 300 } }, "file_paths": { "important": [ "/home/joshua/important/%%" ] }
- 18. OSQUERYCTLOSQUERYCTL Similar to systemctl Used to start,stop and check configuration of osquery configuration $ osqueryctl config-check $ osqueryctl start $ osqueryctl stop osqueryd $ osqueryctl restart osqueryd
- 21. QUESTIONS & FEEDBACKQUESTIONS & FEEDBACK