Skip to main content

Osquery ist ein super-intergalaktisch-geiles Open-Source (GPLv2) Security-Programm, welches eine plattformübergreifende Systemüberwachung basierend auf fesche SQL-Abfragen ermöglicht. Hierbei können z.B Abfragen zu gerade laufenden Prozessen, offenen Netzwerkverbindungen, aktiven Firewall-Regeln, installierter Software,  oder aber auch Infos zu dem System und den angelegten Benutzern in verschiedenen Formaten aufgetischt werden.

In diesem Blogeintrag gibt es eine Quick-n-Dirty-Anleitung, wie du Osquery auf einem Ubuntu-System installierst und mit ein paar Beispiel-Abfragen zu deiner Bitsch machst. Für weiteren geilen, sehr erweiterbaren Scheiß gibt es die sehr ergiebige Dokumentation

Osquery fix installieren

# Osquery installieren
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B$
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY$
add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'$
apt update && apt install osquery

Zentrale Osquery-Konfiguration

Unter „/etc/osquery/osquery.conf“ liegt die zentrale Osquery-Konfiguration, in der man das Verhalten von Osquery einstellen und z.B verschiedene Plugins (Packs) freischalten kann.

#===========================================================
# Zentrale Osquery-Datei
#===========================================================
{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "disable_logging": "false",
    "schedule_splay_percent": "10",
    "pidfile": "/var/osquery/osquery.pidfile",
    "events_expiry": "3600",
    "database_path": "/var/osquery/osquery.db",
    "verbose": "false",
    "worker_threads": "2",
    "enable_monitor": "true",
    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "host_identifier": "hostname",
    "enable_syslog": "true",
    "audit_allow_sockets": "true",
    "schedule_default_interval": "3600"
  },
  "schedule": {
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 300
    },
    "system_profile": {
      "query": "SELECT * FROM osquery_schedule;"
    },
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },
  "packs": {
     "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
     "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
     "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
     "incident-response": "/usr/share/osquery/packs/incident-response.conf",
     "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
     "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
  }
}

Osquery Beispielabfragen

Die Abfragen können entweder direkt in der interaktiven Osquery-Shell „osqueryi“ eingegeben, oder wie hier in den Beispielen mit dem Befehl osqueryi „$BEFEHL;“ direkt rausgepeitsch werden.

#===========================================================
# Ausgabe aller verfügbaren Osquery-Tabellen
#===========================================================
osqueryi ".table"

#===========================================================
# Anzeigemöglichkeiten OSquery
#===========================================================
osqueryi ".mode csv"
osqueryi ".mode list"
osqueryi ".mode column"
osqueryi ".mode line"
osqueryi ".mode pretty"

# CLI Abfragen mit verschiedenen Ausgabeformaten
osqueryi --csv "SELECT * FROM system_info;"
osqueryi --list "SELECT * FROM system_info;"
osqueryi --json "SELECT * FROM system_info;"

#===========================================================
# Ausgabe Infos über OSquery selber
#===========================================================
osqueryi ".show"

#===========================================================
# Ausgabe bestimmter Abfrage-Tabellen
#===========================================================
osqueryi ".schema"
osqueryi ".schema users"
osqueryi ".schema processes"
osqueryi ".schema system_info"

#===========================================================
# Ausgabe aller verfügbaren OSquery-Plugins/Packs
#===========================================================
osqueryi "SELECT name FROM osquery_schedule;"

#===========================================================
# Systeminfos
#===========================================================
osqueryi "SELECT * FROM uptime;"
osqueryi "SELECT * FROM os_version;"
osqueryi "SELECT * FROM system_info;"
osqueryi "SELECT hostname, computer_name, cpu_type, physical_memory, hardware_vendor, hardware_model FROM system_info;"

#===========================================================
# Benutzer-Abfragen
#===========================================================
osqueryi ".schema users"
osqueryi "SELECT * FROM users;"
osqueryi "SELECT COUNT(*) FROM users;"
osqueryi "SELECT * FROM last;"
osqueryi "SELECT * FROM logged_in_users;"
osqueryi "SELECT * FROM users WHERE uid>=1000;"
osqueryi "SELECT username, time, host FROM last WHERE type=7;"
osqueryi "SELECT uid, gid, username, description, directory FROM users;"
osqueryi "SELECT uid, gid, username, description, directory FROM users WHERE uid > 500;"
osqueryi "SELECT username, time, host FROM last WHERE username NOT LIKE 'root%' ORDER BY username;"
osqueryi "SELECT u.username, g.gid, g.groupname FROM users u JOIN user_groups ug USING (uid) JOIN groups g ON ug.gid = g.gid WHERE uid > 500;"

#===========================================================
# Prozess-Abfragen
#===========================================================
osqueryi ".schema processes"
osqueryi "SELECT pid, name, path FROM processes LIMIT 10;"
osqueryi "SELECT pid, name, path, cmdline FROM processes;"
osqueryi "SELECT pid, name, path, cmdline FROM processes WHERE name LIKE 'apache%' ORDER BY name;"
osqueryi "SELECT p.pid, p.name, u.uid, u.username FROM processes AS p LEFT JOIN users AS u ON u.uid = p.uid;"
osqueryi "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY start_time DESC LIMIT 10;"
osqueryi "SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS used FROM processes ORDER BY total_size DESC LIMIT 10;"
osqueryi "SELECT pid, username, state, name, path, cwd, user_time, system_time FROM processes p JOIN users u ON u.uid = p.uid ORDER BY start_time DESC LIMIT 10;"
osqueryi "SELECT pid, uid, name, ROUND((  (user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)) * 100, 2) AS percentage FROM processes, (
        SELECT (SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0)
        AS tsb, SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb
        FROM cpu_time) AS cpu_time ORDER BY user_time+system_time DESC LIMIT 5;"

#===========================================================
# Cronjob-Abfragen
#===========================================================
osqueryi ".schema crontab"
osqueryi "SELECT command, path FROM crontab;"
osqueryi "SELECT minute, hour, day_of_month, month, day_of_week, command, path FROM crontab;"

#===========================================================
# Firewall-Abfragen
#===========================================================
osqueryi ".schema iptables"
osqueryi "SELECT * FROM iptables;"
osqueryi "SELECT chain, policy, src_ip, dst_ip FROM iptables;"
osqueryi "SELECT chain, policy, src_ip, dst_ip FROM iptables WHERE chain='POSTROUTING' order by src_ip;"

#===========================================================
# Mountpount-Abfragen
#===========================================================
osqueryi ".schema mounts"
osqueryi "SELECT * FROM mounts;"
osqueryi "SELECT device, path, type, inodes_free, flags FROM mounts;"
osqueryi "SELECT device, path, type, inodes_free, flags FROM mounts WHERE type='ext4';"
osqueryi "SELECT device, path, type, inodes_free, flags FROM mounts WHERE type='tmpfs';"

#===========================================================
# Kernel-Abfragen
#===========================================================
osqueryi ".schema kernel_modules"
osqueryi "SELECT * FROM kernel_info;"
osqueryi "SELECT name, used_by, status FROM kernel_modules where status='Live';"

#===========================================================
# Netzwerk-Abfragen
#===========================================================
osqueryi "SELECT * FROM routes;"
osqueryi "SELECT * FROM etc_hosts;"
osqueryi "SELECT * FROM listening_ports;"
osqueryi "SELECT * FROM interface_details;"
osqueryi "SELECT * FROM interface_addresses;"
osqueryi "SELECT interface, mac, ipackets, opackets, ibytes, obytes FROM interface_details;"

# Prozessname, Port und PID für laufende Prozesse auf allen Interfaces
osqueryi "SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';"
osqueryi "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"

#===========================================================
# Paket-Abfragen
#===========================================================
osqueryi "SELECT * FROM apt_sources;"
osqueryi "SELECT * FROM deb_packages;"
osqueryi "SELECT name, version FROM deb_packages ORDER BY name;"
osqueryi "SELECT name, version FROM deb_packages WHERE name='vim';"
osqueryi "SELECT name, version FROM deb_packages WHERE name NOT LIKE 'apache%' ORDER BY name;"
osqueryi "SELECT name, base_uri, release, maintainer, components FROM apt_sources ORDER BY name;"

#===========================================================
# Setuid-Files anzeigen
#===========================================================
osqueryi ".schema suid_bin"
osqueryi "SELECT * FROM suid_bin;"
osqueryi "SELECT * FROM suid_bin WHERE username='root' AND groupname='nobody' order by path;"