如何在Debian 10上安装osquery

如何在Debian 10上安装osquery

osquery是Facebook开发的免费,开放源代码工具,可用于查询与操作系统相关的信息,例如内存使用情况,已安装的软件包,进程信息,登录的用户,监听端口等。它可以在多种操作系统上运行,包括Windows,Linux,FreeBSD和MacOS。对于各种用例来说,这是一个非常有用的工具,可以对性能和操作问题进行故障排除。它带有许多工具来帮助您执行OS分析和监视。

在本教程中,您将学习如何在Debian 10上安装和使用osquery。

前提条件

  • 运行Debian 10的服务器。
  • 服务器设置了root密码。

引言

我们建议您在开始之前将系统的软件包更新为最新版本。您可以使用以下命令更新所有软件包。

apt-get update -yapt-get upgrade -y

在更新所有软件包之后,重新引导系统以应用更改。

安装osquery

默认情况下,osquery在Debian 10默认存储库中不可用。因此,您需要将osquery存储库添加到系统中。

首先,使用以下命令下载并添加GPG密钥。

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B

然后使用以下命令添加osquery存储库:

apt-get install software-properties-common -yadd-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'

然后更新存储库并使用以下命令安装osquery:

apt-get update -yapt-get install osquery -y

安装完成后,使用以下命令启动osquery服务。

osqueryctl start osqueryd

您还可以使用以下命令检查osquery的状态。

osqueryctl status osqueryd

显示以下输出。

? osqueryd.service - The osquery Daemon
   Loaded: loaded (/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-04-19 15:21:57 UTC; 6s ago
  Process: 25333 ExecStartPre=/bin/sh -c if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi (code=exited, status=0/SUCCESS)
  Process: 25334 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
  Process: 25336 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
 Main PID: 25337 (osqueryd)
    Tasks: 13 (limit: 4701)
   Memory: 6.4M
   CGroup: /system.slice/osqueryd.service
           ??25337 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
           ??25339 /usr/bin/osqueryd

Apr 19 15:21:57 debian10 systemd[1]: Starting The osquery Daemon...
Apr 19 15:21:57 debian10 systemd[1]: Started The osquery Daemon.
Apr 19 15:21:57 debian10 osqueryd[25337]: osqueryd started [version=4.2.0]
Apr 19 15:21:57 debian10 osqueryd[25337]: I0419 15:21:57.261158 25339 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publish
Apr 19 15:21:57 debian10 osqueryd[25337]: I0419 15:21:57.261485 25339 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled v

osquery操作

osquery带有三个有用的组件:osqueryi,osqueryd和osqueryctl。 osqueryi是osquery交互式外壳,不与守护程序通信。您可以使用外壳程序运行查询以找出操作系统的当前状态。 osqueryd是一个主机监视守护程序,可用于计划查询和记录OS状态更改。 osqueryctl是用于测试配置的帮助脚本。

您可以通过运行以下命令来连接到osquery shell。

osqueryi

显示以下输出。

Using a virtual database. Need help, type '.help'

然后运行.help命令以查看osquery可用的所有选项。

osquery> .help

显示以下输出。

Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off
osquery> 

有许多表可用于查询。您可以使用以下命令列出所有表。

osquery> .table

显示以下输出。

  => acpi_tables
  => apparmor_profiles
  => apt_sources
  => arp_cache
  => atom_packages
  => augeas
  => authorized_keys
  => block_devices
  => carbon_black_info
  => carves
  => chrome_extensions
  => cpu_time
  => cpuid
  => crontab
  => curl
  => curl_certificate
  => deb_packages
  => device_file
  => device_hash
  => device_partitions
  => disk_encryption
  => dns_resolvers
  => docker_container_labels
  => docker_container_mounts

您可以将上表与osquery一起使用以查找各种系统信息。

使用osquery监视系统

您可以使用osquery.Advertisements监视内存使用情况,进程信息,磁盘空间,已登录用户等。

首先,使用以下命令启动osquery shell。

osqueryi

然后,您可以使用以下命令来获取系统的主机名,CPU内核和物理内存信息。

osquery> select hostname,cpu_physical_cores,physical_memory from system_info;

显示以下输出。

+------------+--------------------+-----------------+
| hostname   | cpu_physical_cores | physical_memory |
+------------+--------------------+-----------------+
| debian10   | 1                  | 1032937472      |
+------------+--------------------+-----------------+

要获取有关ssh_config文件的信息,请运行以下查询:

osquery> select * from ssh_configs;

显示以下输出。

W0419 15:47:17.043509 25397 virtual_table.cpp:959] The ssh_configs table returns data based on the current user by default, consider JOINing against the users table
W0419 15:47:17.043740 25397 virtual_table.cpp:974] Please see the table documentation: https://osquery.io/schema/#ssh_configs
+-----+--------+--------------------------+---------------------+
| uid | block  | option                   | ssh_config_file     |
+-----+--------+--------------------------+---------------------+
| 0   | host * | sendenv lang lc_*        | /etc/ssh/ssh_config |
| 0   | host * | hashknownhosts yes       | /etc/ssh/ssh_config |
| 0   | host * | gssapiauthentication yes | /etc/ssh/ssh_config |
+-----+--------+--------------------------+---------------------+
osquery> 

要获取系统中所有用户的列表,请运行以下查询:

osquery> SELECT * FROM users;

显示以下输出。

+-------+-------+------------+------------+-----------------+------------------------------------+----------------------+-------------------+------+
| uid   | gid   | uid_signed | gid_signed | username        | description                        | directory            | shell             | uuid |
+-------+-------+------------+------------+-----------------+------------------------------------+----------------------+-------------------+------+
| 0     | 0     | 0          | 0          | root            | root                               | /root                | /bin/bash         |      |
| 1     | 1     | 1          | 1          | daemon          | daemon                             | /usr/sbin            | /usr/sbin/nologin |      |
| 2     | 2     | 2          | 2          | bin             | bin                                | /bin                 | /usr/sbin/nologin |      |
| 3     | 3     | 3          | 3          | sys             | sys                                | /dev                 | /usr/sbin/nologin |      |
| 4     | 65534 | 4          | 65534      | sync            | sync                               | /bin                 | /bin/sync         |      |
| 5     | 60    | 5          | 60         | games           | games                              | /usr/games           | /usr/sbin/nologin |      |
| 6     | 12    | 6          | 12         | man             | man                                | /var/cache/man       | /usr/sbin/nologin |      |
| 7     | 7     | 7          | 7          | lp              | lp                                 | /var/spool/lpd       | /usr/sbin/nologin |      |

要列出系统中的所有非系统用户,请运行以下查询。

osquery> select * from users where uid <= 1000 limit 3;

显示以下输出。

+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell             | uuid |
+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+
| 0   | 0   | 0          | 0          | root     | root        | /root     | /bin/bash         |      |
| 1   | 1   | 1          | 1          | daemon   | daemon      | /usr/sbin | /usr/sbin/nologin |      |
| 2   | 2   | 2          | 2          | bin      | bin         | /bin      | /usr/sbin/nologin |      |
+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+

要获取当前登录用户的列表,请运行以下查询:

osquery> select * from logged_in_users where type = 'user';

显示以下输出。

+------+------+-------+--------------+------------+-------+
| type | user | tty   | host         | time       | pid   |
+------+------+-------+--------------+------------+-------+
| user | root | pts/0 | 27.61.217.59 | 1587309538 | 19279 |
| user | root | pts/1 | 27.61.217.59 | 1587310737 | 25378 |
| user | root | pts/2 | 27.61.217.59 | 1587310997 | 25394 |
+------+------+-------+--------------+------------+-------+

要查看系统内存信息,请运行以下查询。

osquery> select * from memory_info;

显示以下输出。

+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
| memory_total | memory_free | buffers  | cached     | swap_cached | active    | inactive  | swap_total | swap_free |
+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
| 4138455040   | 2407211008  | 79745024 | 1384751104 | 0           | 556371968 | 954744832 | 0          | 0         |
+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
osquery> 

要查找系统上的平均负载,请运行以下查询:

osquery> select * from load_average;

显示以下输出。

+--------+----------+
| period | average  |
+--------+----------+
| 1m     | 0.000000 |
| 5m     | 0.000000 |
| 15m    | 0.000000 |
+--------+----------+
osquery> 

要获取系统上前五个软件包的列表,请运行以下查询:

osquery> select * from deb_packages top limit 5;

显示以下输出。

+-------------------+------------+--------------+------+-------+----------+
| name              | version    | source       | size | arch  | revision |
+-------------------+------------+--------------+------+-------+----------+
| acpi-support-base | 0.142-8    | acpi-support | 43   | all   | 8        |
| acpid             | 1:2.0.31-1 |              | 146  | amd64 | 1        |
| adduser           | 3.118      |              | 849  | all   |          |
| apparmor          | 2.13.2-10  |              | 1833 | amd64 | 10       |
| apt               | 1.8.2      |              | 4064 | amd64 |          |
+-------------------+------------+--------------+------+-------+----------+

要获取有关系统上运行的进程的信息,请运行以下查询:

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';

显示以下输出。

+------+------+-----+
| name | port | pid |
+------+------+-----+
| sshd | 22   | 729 |
+------+------+-----+

要查找所有以前的登录名,请运行以下查询。

osquery> select * from last;

显示以下输出。

+----------+-------+-------+------+------------+--------------+
| username | tty   | pid   | type | time       | host         |
+----------+-------+-------+------+------------+--------------+
| root     | pts/0 | 1448  | 7    | 1587365277 | 27.61.217.41 |
| root     | pts/1 | 13392 | 7    | 1587368569 | 27.61.217.41 |
|          | pts/0 | 1004  | 8    | 1587376329 |              |
|          | pts/1 | 13321 | 8    | 1587376821 |              |
|          | ttyS0 | 748   | 8    | 1587465619 |              |
|          | tty1  | 749   | 8    | 1587465619 |              |
| root     | pts/0 | 1057  | 7    | 1587465664 | 27.61.217.9  |
| root     | pts/1 | 1375  | 7    | 1587465846 | 27.61.217.9  |
+----------+-------+-------+------+------------+--------------+

要列出crontab计划的所有作业,请运行以下查询。

osquery> select command, path from crontab ;

显示以下输出。

+----------------------------------------------------------------------------------------------------------------------------------------+-------------------+
| command                                                                                                                                | path              |
+----------------------------------------------------------------------------------------------------------------------------------------+-------------------+
| root cd / && run-parts --report /etc/cron.hourly                                                                                       | /etc/crontab      |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )                                                       | /etc/crontab      |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )                                                      | /etc/crontab      |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )                                                     | /etc/crontab      |
| root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi | /etc/cron.d/mdadm |

要查找系统上所有打开的端口,请运行以下查询:

osquery> select * from listening_ports;

显示以下输出。

+------+------+----------+--------+------------+-----+--------+----------------------------------------+---------------+
| pid  | port | protocol | family | address    | fd  | socket | path                                   | net_namespace |
+------+------+----------+--------+------------+-----+--------+----------------------------------------+---------------+
| 444  | 53   | 6        | 2      | 127.0.0.53 | 13  | 14910  |                                        | 4026531993    |
| 729  | 22   | 6        | 2      | 0.0.0.0    | 3   | 16940  |                                        | 4026531993    |
| 664  | 3306 | 6        | 2      | 127.0.0.1  | 69  | 15824  |                                        | 4026531993    |
| 544  | 6379 | 6        | 2      | 127.0.0.1  | 6   | 15472  |                                        | 4026531993    |
| 729  | 22   | 6        | 10     | ::         | 4   | 16951  |                                        | 4026531993    |
| 544  | 6379 | 6        | 10     | ::1        | 7   | 15473  |                                        | 4026531993    |
| 759  | 80   | 6        | 10     | ::         | 4   | 17009  |                                        | 4026531993    |
| 444  | 53   | 17       | 2      | 127.0.0.53 | 12  | 14909  |                                        | 4026531993    |
| 405  | 58   | 255      | 10     | ::         | 15  | 16039  |                                        | 4026531993    |

要列出最活跃的5个进程,请运行以下查询。

osquery> select count(pid) as total, name from processes group by name order by total desc limit 5;

显示以下输出。

+-------+---------+
| total | name    |
+-------+---------+
| 4     | sshd    |
| 3     | apache2 |
| 2     | systemd |
| 2     | bash    |
| 2     | agetty  |
+-------+---------+

结论

在上面的教程中,您学习了如何在Debian 10上安装和使用osquery。 osquery是在系统中查找后门,恶意软件或僵尸进程的非常有用的工具。有关osquery的更多信息, osquery 文档页面。

Source

Sidebar