在Ubuntu 20.04上安裝Osquery
在本指南中,我們將學習如何在Ubuntu 20.04上安裝osquery。 Osquery 是一個開放源代碼工具,可以像查詢關係數據庫一樣查詢操作系統。它利用類似SQL的查詢來收集操作系統信息,以進行性能,安全性,合規性審核分析。它可以在多個平台上運行,例如Linux,FreeBSD,MacOS,Windows系統。
在Ubuntu 20.04上安裝Osquery
安裝Osquery APT存儲庫
默認的Ubuntu存儲庫不包含osquery軟件包。但是,osquery會為每個穩定版本發布一個apt存儲庫。要將osquery apt倉庫添加到Ubuntu 20.04,請創建osquery來源列表;
echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
導入存儲庫簽名密鑰
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
更新系統軟件包
sudo apt update
更新完成後,在Ubuntu 20.04上安裝osquery;
sudo apt install osquery
osquery的組件
Osquery軟件包安裝了三個基本組件;
osqueryctl–這是一個osquery助手腳本,用於測試osquery的配置/部署以及管理osqueryd服務。osqueryd–是一個osquery守護程序,用於調度查詢並記錄OS狀態的變化。osqueryi–是一個osquery交互式shell。從外殼程序,您可以運行各種查詢來探索操作系統的狀態。
為了了解上述命令的用法,您可以傳遞-h / –help選項。
osqueryctl -h
Usage: /usr/bin/osqueryctl {clean|config-check|start|stop|status|restart}例如,要啟動,停止和重新啟動使用osqueryctl的osqueryd,請運行以下命令;
osqueryctl start osqueryd
osqueryctl stop osqueryd
osqueryctl restart osqueryd
運行Osquery
Osquery可以使用osqueryi在獨立模式下運行,也可以使用osqueryd作為服務運行。在本指南中,我們將重點介紹如何使用osquery交互式shell查詢各種系統活動。
在獨立模式下運行osquery
什麼時候 osqueryi 在沒有任何參數的情況下運行,它將帶您到交互式外殼程序提示符;
osqueryiUsing a virtual database. Need help, type '.help'osquery>
您可以通過鍵入獲得幫助 .help 在shell提示符下。
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
osquery>系統信息表
Osquery將各種OS屬性轉換成表格形式的數據庫概念。因此,要列出存儲各種系統信息的表,請運行 .tables 內的命令 osqueryi 迅速的。
osqueryiosquery> .tables
樣品輸出;
=> acpi_tables => apt_sources => arp_cache => augeas => authorized_keys => block_devices => carbon_black_info => carves => chrome_extensions => cpu_time … => time => uptime => usb_devices => user_events => user_groups => user_ssh_keys => users => yara => yara_events => yum_sources osquery>
出於示例目的,讓我們看看某些表中包含的內容。
select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name | version | major | minor | patch | build | platform | platform_like | codename | arch |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.1 LTS (Focal Fossa) | 20 | 4 | 0 | | ubuntu | debian | focal | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+要查詢uid大於1000的系統用戶,
select * from users where uid >=1000;
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+
| 65534 | 65534 | 65534 | 65534 | nobody | nobody | /nonexistent | /usr/sbin/nologin | |
| 1000 | 1000 | 1000 | 1000 | koromicha | koromicha | /home/koromicha | /bin/bash | |
| 65534 | 65534 | 65534 | 65534 | nobody | nobody | / | /usr/sbin/nologin | |
+-------+-------+------------+------------+-----------+-------------+-----------------+-------------------+------+列出所有已登錄的用戶;
select user,tty,host,time from logged_in_users where tty not like '~';
+-----------+-------+--------------+------------+
| user | tty | host | time |
+-----------+-------+--------------+------------+
| koromicha | tty1 | | 1613887707 |
| koromicha | pts/0 | 192.168.57.1 | 1613888358 |
+-----------+-------+--------------+------------+檢查系統正常運行時間;
select * from uptime;
+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 0 | 1 | 21 | 49 | 4909 |
+------+-------+---------+---------+---------------+顯示網絡接口和IP地址;
select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';
+-----------+---------------------------------+-----------------------+
| interface | address | mask |
+-----------+---------------------------------+-----------------------+
| enp0s3 | 10.0.2.15 | 255.255.255.0 |
| enp0s8 | 192.168.57.3 | 255.255.255.0 |
| enp0s3 | fe80::a00:27ff:fe5c:52a%enp0s3 | ffff:ffff:ffff:ffff:: |
| enp0s8 | fe80::a00:27ff:fe7f:8415%enp0s8 | ffff:ffff:ffff:ffff:: |
+-----------+---------------------------------+-----------------------+osquery命令輸出視圖模式
可以通過運行以下命令來更改osquery命令輸出視圖模式: .mode MODE 從內部 osqueryi shell提示符,可以在其中MODE line, csv, pretty (默認), column, list。
例如,將視圖設置為線條模式;
osquery> .mode line
當您運行查詢時,輸出是逐行產生的;
SELECT * FROM system_info;
hostname = ubuntu20
uuid = 269c209d-fc67-ec4f-bf56-c759a8296e14
cpu_type = x86_64
cpu_subtype = 142
cpu_brand = Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
cpu_physical_cores = 1
cpu_logical_cores = 1
cpu_microcode =
physical_memory = 2084356096
hardware_vendor = innotek GmbH
hardware_model = VirtualBox
hardware_version = 1.2
hardware_serial = 0
board_vendor = Oracle Corporation
board_model = VirtualBox
board_version = 1.2
board_serial = 0
computer_name = ubuntu20
local_hostname = ubuntu20列出已安裝的系統軟件包;
select * from deb_packages top limit 3;
name = accountsservice
version = 0.6.55-0ubuntu12~20.04.4
source =
size = 452
arch = amd64
revision = 0ubuntu12~20.04.4
status = install ok installed
maintainer = Ubuntu Developers <[email protected]>
section = admin
priority = optional
name = adduser
version = 3.118ubuntu2
source =
size = 624
arch = all
revision =
status = install ok installed
maintainer = Ubuntu Core Developers <[email protected]>
section = admin
priority = important退出Osquery Interactive Shell
要退出osqueri交互式外殼程序,osquery>,請使用以下命令 .exit 或直接按 Control+d 鍵盤組合鍵。
osquery> .exit
將Osquery作為服務運行
osqueryd 是一個osquery守護程序,用於調度查詢並記錄OS狀態的變化。您可以使用此守護程序來運行Osquery服務。
為此,您需要將示例Osquery配置複製到 /etc/osquery 目錄如下;
cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
接下來,就是服務;
systemctl start osqueryd
檢查狀態;
systemctl status osqueryd
● osqueryd.service - The osquery Daemon
Loaded: loaded (/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2021-02-21 07:42:48 UTC; 18s ago
Process: 66618 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
Process: 66633 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
Main PID: 66634 (osqueryd)
Tasks: 14 (limit: 2282)
Memory: 7.6M
CGroup: /system.slice/osqueryd.service
├─66634 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
└─66637 /usr/bin/osqueryd
Feb 21 07:42:48 ubuntu20 systemd[1]: Starting The osquery Daemon...
Feb 21 07:42:48 ubuntu20 systemd[1]: Started The osquery Daemon.
Feb 21 07:42:48 ubuntu20 osqueryd[66634]: osqueryd started [version=4.6.0]好吧,這就是如何在Ubuntu 20.04上安裝Osquery的內容。您可以繼續探索這個很棒的工具。
進一步閱讀
其他教程
在Ubuntu 18.04上安裝和設置Kolide Fleet
在Debian 10上安裝Kolide Fleet Osquery Fleet Manager
在Debian 10 Buster上安裝Osquery
。