在Ubuntu 20.04上安装Osquery

在本指南中,我们将学习如何在Ubuntu 20.04上安装osquery。 Osquery 是一个开放源代码工具,可以像查询关系数据库一样查询操作系统。它利用类似SQL的查询来收集操作系统信息,以进行性能,安全性,合规性审核分析。它可以在多个平台上运行,例如Linux,FreeBSD,MacOS,Windows系统。

在Ubuntu 20.04上安装Osquery

安装Osquery APT存储库

默认的Ubuntu存储库不包含osquery软件包。但是,osquery会为每个稳定版本发布一个apt存储库。要将osquery apt仓库添加到Ubuntu 20.04,请创建osquery来源列表;

echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list

导入存储库签名密钥

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B

更新系统软件包

sudo apt update

更新完成后,在Ubuntu 20.04上安装osquery;

sudo apt install osquery

osquery的组件

Osquery软件包安装了三个基本组件;

  • osqueryctl –这是一个osquery助手脚本,用于测试osquery的配置/部署以及管理osqueryd服务。
  • osqueryd –是一个osquery守护程序,用于调度查询并记录OS状态的变化。
  • osqueryi –是一个osquery交互式shell。从外壳程序,您可以运行各种查询来探索操作系统的状态。

为了了解上述命令的用法,您可以传递-h / –help选项。

osqueryctl -h
Usage: /usr/bin/osqueryctl {clean|config-check|start|stop|status|restart}

例如,要启动,停止和重新启动使用osqueryctl的osqueryd,请运行以下命令;

osqueryctl start osqueryd
osqueryctl stop osqueryd
osqueryctl restart osqueryd

运行Osquery

Osquery可以使用osqueryi在独立模式下运行,也可以使用osqueryd作为服务运行。在本指南中,我们将重点介绍如何使用osquery交互式shell查询各种系统活动。

在独立模式下运行osquery

什么时候 osqueryi 在没有任何参数的情况下运行,它将带您到交互式外壳程序提示符;

osqueryi
Using a virtual database. Need help, type '.help'osquery>

您可以通过键入获得帮助 .help 在shell提示符下。

osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off
osquery>

系统信息表

Osquery将各种OS属性转换成表格形式的数据库概念。因此,要列出存储各种系统信息的表,请运行 .tables 内的命令 osqueryi 迅速的。

osqueryi

osquery> .tables

样品输出;

=> acpi_tables
=> apt_sources
=> arp_cache
=> augeas
=> authorized_keys
=> block_devices
=> carbon_black_info
=> carves
=> chrome_extensions
=> cpu_time
…
=> time
=> uptime
=> usb_devices
=> user_events
=> user_groups
=> user_ssh_keys
=> users
=> yara
=> yara_events
=> yum_sources
osquery>

出于示例目的,让我们看看某些表中包含的内容。

select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.1 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+

要查询uid大于1000的系统用户,

select * from users where uid >=1000;
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+
| uid   | gid   | uid_signed | gid_signed | username  | description | directory       | shell             | uuid |
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+
| 65534 | 65534 | 65534      | 65534      | nobody    | nobody      | /nonexistent    | /usr/sbin/nologin |      |
| 1000  | 1000  | 1000       | 1000       | koromicha | koromicha   | /home/koromicha | /bin/bash         |      |
| 65534 | 65534 | 65534      | 65534      | nobody    | nobody      | /               | /usr/sbin/nologin |      |
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+

列出所有已登录的用户;

select user,tty,host,time from logged_in_users where tty not like '~';
+-----------+-------+--------------+------------+
| user      | tty   | host         | time       |
+-----------+-------+--------------+------------+
| koromicha | tty1  |              | 1613887707 |
| koromicha | pts/0 | 192.168.57.1 | 1613888358 |
+-----------+-------+--------------+------------+

检查系统正常运行时间;

select * from uptime;
+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 0    | 1     | 21      | 49      | 4909          |
+------+-------+---------+---------+---------------+

显示网络接口和IP地址;

select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';
+-----------+---------------------------------+-----------------------+
| interface | address                         | mask                  |
+-----------+---------------------------------+-----------------------+
| enp0s3    | 10.0.2.15                       | 255.255.255.0         |
| enp0s8    | 192.168.57.3                    | 255.255.255.0         |
| enp0s3    | fe80::a00:27ff:fe5c:52a%enp0s3  | ffff:ffff:ffff:ffff:: |
| enp0s8    | fe80::a00:27ff:fe7f:8415%enp0s8 | ffff:ffff:ffff:ffff:: |
+-----------+---------------------------------+-----------------------+

osquery命令输出视图模式

可以通过运行以下命令来更改osquery命令输出视图模式: .mode MODE 从内部 osqueryi shell提示符,可以在其中MODE linecsvpretty (默认), columnlist

例如,将视图设置为线条模式;

osquery> .mode line

当您运行查询时,输出是逐行产生的;

SELECT * FROM system_info;
          hostname = ubuntu20
              uuid = 269c209d-fc67-ec4f-bf56-c759a8296e14
          cpu_type = x86_64
       cpu_subtype = 142
         cpu_brand = Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
cpu_physical_cores = 1
 cpu_logical_cores = 1
     cpu_microcode = 
   physical_memory = 2084356096
   hardware_vendor = innotek GmbH
    hardware_model = VirtualBox
  hardware_version = 1.2
   hardware_serial = 0
      board_vendor = Oracle Corporation
       board_model = VirtualBox
     board_version = 1.2
      board_serial = 0
     computer_name = ubuntu20
    local_hostname = ubuntu20

列出已安装的系统软件包;

select * from deb_packages top limit 3;
      name = accountsservice
   version = 0.6.55-0ubuntu12~20.04.4
    source = 
      size = 452
      arch = amd64
  revision = 0ubuntu12~20.04.4
    status = install ok installed
maintainer = Ubuntu Developers <[email protected]>
   section = admin
  priority = optional

      name = adduser
   version = 3.118ubuntu2
    source = 
      size = 624
      arch = all
  revision = 
    status = install ok installed
maintainer = Ubuntu Core Developers <[email protected]>
   section = admin
  priority = important

退出Osquery Interactive Shell

要退出osqueri交互式外壳程序,osquery>,请使用以下命令 .exit 或直接按 Control+d 键盘组合键。

osquery> .exit

将Osquery作为服务运行

osqueryd 是一个osquery守护程序,用于调度查询并记录OS状态的变化。您可以使用此守护程序来运行Osquery服务。

为此,您需要将示例Osquery配置复制到 /etc/osquery 目录如下;

cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

接下来,就是服务;

systemctl start osqueryd

检查状态;

systemctl status osqueryd
● osqueryd.service - The osquery Daemon
     Loaded: loaded (/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-02-21 07:42:48 UTC; 18s ago
    Process: 66618 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
    Process: 66633 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
   Main PID: 66634 (osqueryd)
      Tasks: 14 (limit: 2282)
     Memory: 7.6M
     CGroup: /system.slice/osqueryd.service
             ├─66634 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
             └─66637 /usr/bin/osqueryd

Feb 21 07:42:48 ubuntu20 systemd[1]: Starting The osquery Daemon...
Feb 21 07:42:48 ubuntu20 systemd[1]: Started The osquery Daemon.
Feb 21 07:42:48 ubuntu20 osqueryd[66634]: osqueryd started [version=4.6.0]

好吧,这就是如何在Ubuntu 20.04上安装Osquery的内容。您可以继续探索这个很棒的工具。

进一步阅读

Osquery文档

其他教程

在Ubuntu 18.04上安装和设置Kolide Fleet

在Debian 10上安装Kolide Fleet Osquery Fleet Manager

在Debian 10 Buster上安装Osquery

Sidebar