{"id":11530,"date":"2019-03-14T11:09:51","date_gmt":"2019-03-14T11:09:51","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11530"},"modified":"2019-03-14T11:09:51","modified_gmt":"2019-03-14T11:09:51","slug":"how-to-monitor-linux-server-security-with-osquery","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/14\/how-to-monitor-linux-server-security-with-osquery\/","title":{"rendered":"How to Monitor Linux Server Security with Osquery"},"content":{"rendered":"

Osquery<\/strong>\u00a0is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac\/OS X systems, built by\u00a0Facebook<\/strong>. It is a simple and easy-to-use operating system explorer.<\/p>\n

It combines a number of tools which perform low-level OS analytics and monitoring; these tools reveal an operating system as a high-performance relational database such as\u00a0MySQL<\/strong>\/MariaDB<\/strong>,\u00a0PostgreSQL<\/strong>\u00a0and more, where OS concepts are represented in tabular form, thus allowing users to employ SQL commands to carry out system monitoring and analytics.<\/p>\n

Osquery<\/strong>\u00a0use a simple plugin and extensions API to implement SQL tables, there is a collection of tables in existence ready for use, and more are being written. Some tables can only be found on a specific operating system, for instance, you only find the kernel_modules table on Linux systems.<\/p>\n

Additionally, you can run queries to monitor and analyze OS state on a single host via the\u00a0osqueryi shell<\/strong>, or on several hosts on a network via a scheduler or execute them from any of your custom applications using osquery Thrift APIs.<\/p>\n

How to Install Osquery in Linux<\/h3>\n

The\u00a0Osquery<\/strong>\u00a0can be installed from the official repository using\u00a0apt<\/a>\u00a0yum<\/a>\u00a0or\u00a0dnf<\/a>\u00a0package management tool on your respective Linux distribution as shown.<\/p>\n

On Debian\/Ubuntu<\/h4>\n
$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B\r\n$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY\r\n$ sudo add-apt-repository 'deb [arch=amd64] https:\/\/pkg.osquery.io\/deb deb main'\r\n$ sudo apt update\r\n$ sudo apt install osquery\r\n<\/pre>\n
On RHEL\/CentOS<\/h4>\n
$ curl -L https:\/\/pkg.osquery.io\/rpm\/GPG | sudo tee \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-osquery\r\n$ sudo yum-config-manager --add-repo https:\/\/pkg.osquery.io\/rpm\/osquery-s3-rpm.repo\r\n$ sudo yum-config-manager --enable osquery-s3-rpm-repo\r\n$ sudo yum install osquery\r\n<\/pre>\n
On Fedora 22+<\/h4>\n
$ curl -L https:\/\/pkg.osquery.io\/rpm\/GPG | sudo tee \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-osquery\r\n$ dnf config-manager --add-repo --add-repo https:\/\/pkg.osquery.io\/rpm\/osquery-s3-rpm.repo\r\n$ sudo dnf config-manager --set-enabled osquery-s3-rpm\r\n$ sudo dnf install osquery\r\n<\/pre>\n
How to Monitor and Analyze Linux Using Osquery<\/h3>\n
Once you have successfully installed\u00a0Osquery<\/strong>\u00a0on your system, launch the\u00a0osqueryi<\/strong>\u00a0shell to start querying the state of your OS as shown.<\/p>\n
$ osqueryi<\/strong>\r\n\r\nUsing a virtual database. Need help, type '.help'\r\nosquery> \r\n<\/pre>\n
To get a summarized Linux system information run the following command.<\/p>\n
osquery> SELECT  * FROM system_info;\r\n<\/pre>\n
\n
\"Get<\/a><\/p>\n
Get Linux System Info<\/p>\n<\/div>\n
To get a well formated list of all users on the Linux system, run the following query.<\/p>\n
osquery> SELECT * FROM users;\r\n<\/pre>\n
\n
\"List<\/a><\/p>\n
List of All Linux Users<\/p>\n<\/div>\n
To get a list of all Linux kernel modules and their status, run the following query.<\/p>\n
osquery> SELECT * FROM kernel_modules;\r\n<\/pre>\n
\n
\"List<\/a><\/p>\n
List All Kernel Modules in Linux<\/p>\n<\/div>\n
To get a\u00a0list of all installed RPM packages<\/a>\u00a0on CentOS, RHEL and Fedora, run the following query.<\/p>\n
osquery> .all rpm_packages;\r\n<\/pre>\n
\n
\"List<\/a><\/p>\n
List All Installed RPM Packages<\/p>\n<\/div>\n
To get a informatin about running Linux processes, run the following query.<\/p>\n
osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';\r\n<\/pre>\n
\n
\"List<\/a><\/p>\n
List Linux Processes Information<\/p>\n<\/div>\n
If you are running\u00a0osquery<\/strong>\u00a0on a desktop and have\u00a0Firefox<\/strong>\u00a0or\u00a0Chrome<\/strong>\u00a0installed, you can list all your add-ons using the following query.<\/p>\n
osquery> .all firefox_addons;\r\nosquery> .all  chrome_extensions;\r\n<\/pre>\n
To display a list of all implemented tables in Linux, use the\u00a0.tables<\/strong>\u00a0command as shown.<\/p>\n
osquery> .tables;\t#list all implemented tables\r\nosquery> .help; \t#view help message\r\n<\/pre>\n
Osquery<\/strong>\u00a0also provides file integrity monitoring (FIM<\/strong>), and process and socket auditing features and more, thus it is an intrusion detection tool, but this calls for certain configurations before you can deploy it for such a purpose. You can find more information from the\u00a0Osquery Github repository<\/a>.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Osquery\u00a0is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac\/OS X systems, built by\u00a0Facebook. It is a simple and easy-to-use operating system explorer. It combines a number of tools which perform low-level OS analytics and monitoring; these tools reveal an operating system as … <\/p>\n
Continue reading “How to Monitor Linux Server Security with Osquery”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11530","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11530"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11530\/revisions"}],"predecessor-version":[{"id":11532,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11530\/revisions\/11532"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}