Breaking News
Home / How To / How to install osquery on Debian 10

How to install osquery on Debian 10



osquery is a free and open source tool developed by Facebook that can be used to query operating system related information including memory usage, installed packages, process information, login users, listening ports and many more. It can run on multiple operating systems including Windows, Linux, FreeBSD and MacOS. It is a very useful tool for various use cases to troubleshoot performance and operational problems. It comes with many tools to help you perform OS analysis and monitoring.

In this tutorial we will teach you how to install and use osquery on Debian 10.

Prerequisites

  • A server running Debian 10.
  • A root password is configured on your server.

Getting Started

Before you begin, it is a good idea to update the system package to the latest version. You can update all packages with the following command:

  apt-get update -y 
apt-get upgrade -y

After all packages have been updated, restart the system to apply the changes.

Installing osquery

By default, osquery is not available in the Debian 10 repository. So you need to add the osquery layer to your system.

Download and add GPG key with the following command:

  apt-key adv --keyserver keyerver.ubuntu.com - -recv keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B 

repository with the following command:

  apt-get install software-Properties-Common -y 
add-apt-repository & # 39; deb [arch=amd64] https: // pkg.osquery.io/deb deb main & # 39;

Then update the repository and install osquery with the following command:

  apt-get update -y 
apt-get install osquery -y

Once the installation is complete, start the osquery service with the following command:

  osqueryctl start osqueryd 

You can also verify the status of osquery with the following command: [19659008] osqueryctl status osqueryd

You should see the following output:

? osqueryd.service - The osquery Daemon
Loaded: loaded (/lib/systemd/system/osqueryd.service; disabled; vendor setting: enabled)
Active: active (running) since Sun 2020-04-19 15:21:57 UTC; 6s ago
Process: 25333 ExecStartPre = / bin / sh -c if [ ! -f $CONFIG_FILE ]; echo sedan {}> $ CONFIG_FILE; fi (code = terminated, status = 0 / SUCCESS)
Process: 25334 ExecStartPre = / bin / sh -c if [ ! -f $FLAG_FILE ]; then press $ FLAG_FILE; fi (code = terminated, status = 0 / SUCCESS)
Process: 25336 ExecStartPre = / bin / sh -c if [ -f $LOCAL_PIDFILE ]; then etc. $ LOCAL_PIDFILE $ PIDFILE; fi (code = terminated, status = 0 / SUCCESS)
Main PID: 25337 (osqueryd)
Details: 13 (limit: 4701)
Memory: 6.4M
CGroup: /system.slice/osqueryd.service
?? 25337 / usr / bin / osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
?? 25339 / usr / bin / osqueryd

Apr 19 15:21:57 debian10 systemd [1]: Launch the osquery Daemon ...
Apr 19 15:21:57 debian10 systemd [1]: Started the osquery Daemon.
Apr 19 15:21:57 debian10 osqueryd [25337]: osqueryd started [version=4.2.0]
Apr 19 15:21:57 debian10 osqueryd [25337]: I0419 15: 21: 57.261158 25339 events.cpp: 863] Event Publisher not enabled: auditeventpublisher: Publish
Apr 19 15:21:57 debian10 osqueryd [25337]: I0419 15: 21: 57.261485 25339 events.cpp: 863] Event Publisher Not Enabled: syslog: Publisher Disabled v

Working with osquery

osquery comes with three useful components osqueryi, osqueryd and osqueryctl. Osqueryi is an interactive shell with osquery and does not communicate with a demon. You can use the shell to perform queries and explore the current state of your operating system. osqueryd is a value monitoring daemon that can be used to schedule queries and record OS status changes. osqueryctl is a help script for testing configuration.

You can run the following command to connect to the osquery shell:

  osqueryi 

You should get the following output:

 Using a virtual database. Need help, type & # 39; .help & # 39;

Then run the .help command to see all available options with osquery:

  osquery> .help 

You should get the following output:

 Welcome to the osquery shell. Explore your operating system!
You are connected to a short-term virtual database in memory.

.all [TABLE] Select everything from a table
.bail ON | OFF Stop after hitting an error
.echo ON | OFF Turn on or off the command prompt
.exit Quit this program
.features List the functions and status of osquery
.heads on | OFF Turn the display heads on or off
.help View this message
.mode MODE Set the initial mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values ​​delimited by .separator string
pretty Pretty SQL result (default)
.null value STR Use STRING instead of NULL values
.print STR ... Print literal STRING
.quit Quit the program
Schedule [TABLE] View CREATE statements
.separator STR Change separator used in initial mode
.socket View the socket path for osquery extensions
.show View the current values ​​for different settings
.summary alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] View results of getQueryColumns for the given query
.width [NUM1] + Set column widths for "column" mode
.timer ON | OFF Turn the CPU timer meter on or off
osquery>

There are many tables available for the query. You can list all tables with the following command:

  osquery> .table 

You should get the following output:

 => acpi_tables
=> apparmor_profiles
=> apt_sources
=> arp_cache
=> atom_packages
=> augeas
=> authorized_ keys
=> block_units
=> carbon_black_info
=> snider
=> chrome_extensions
=> cpu_time
=> cpuid
=> crontab
=> lid
=> curl_certificate
=> deb_packages
=> device_file
=> device_hash
=> device_partitions
=> disk_encryption
=> dns_resolvers
=> docker_container_labels
=> docker_container_mounts

You can find the different system information using the above table with osquery.

Monitor System with osquery

You can monitor memory usage, process information, disk space, login users and many more with osquery. [19659041] Ads

First start the osquery shell with the following command:

  osqueryi 

Then you can get information about your system host name, cpu kernel and physical memory with the following command:

  osquery> select hostname, cpu_physical_cores, physical_memory from system_info; 

You should get the following output:

 + -------- ---- + -------------------- + --- -------------- +
| hostname | cpu_physical_cores | physical_memory |
+ ------------ + -------------------- + --------------- - +
| debian10 | 1 | 1032937472 |
+ ------------ + -------------------- + --------------- - +

To get information about the ssh_config file, run the following query:

  osquery> select * from ssh_configs; 

You should get the following output: Advertising Services

 W0419 15: 47: 17.043509 25397 virtual_table.cpp: 959] The table ssh_configs returns data based on the current user by default, consider joining the user table
W0419 15: 47: 17.043740 25397 virtual_table.cpp: 974] See the table documentation: https://osquery.io/schema/#ssh_configs
+ ----- + -------- + -------------------------- + ------- -------------- +
| uid | block | alternative | ssh_config_file |
+ ----- + -------- + -------------------------- + ------- -------------- +
| 0 | host * | sendenv long lc_ * | / etc / ssh / ssh_config |
| 0 | host * | hashailedhosts yes | / etc / ssh / ssh_config |
| 0 | host * | gssapiauthentication yes | / etc / ssh / ssh_config |
+ ----- + -------- + -------------------------- + ------- -------------- +
osquery>

To get a list of all users in your system, run the following query:

  osquery> SELECT * FROM users; 

You should get the following output:

 + ------- + ------- + ------------ + -------- ---- + ---------------- - + --------------------------- --------- + ----------------- + ----------------- - + ------ +
| uid | gid | uid_signed | gid_signed | username | description | directory | must | uuid |
+ ------- + ------- + ------------ + ------------ + ------- ---------- + ------------------------------------ + - - ------------------- + ------------------- + ------ +
| 0 | 0 | 0 | 0 | rot | rot | / root | / bin / bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | / usr / sbin | / usr / sbin / nologin | |
| 2 | 2 | 2 | 2 | compartment | compartment | / bin | / usr / sbin / nologin | |
| 3 | 3 | 3 | 3 | sys | sys | / dev | / usr / sbin / nologin | |
| 4 | 65534 | 4 | 65534 | sync | sync | / bin | / bin / sync | |
| 5 | 60 | 5 | 60 | games | games | / usr / games | / usr / sbin / nologin | |
| 6 | 12 | 6 | 12 | man | man | / var / cache / man | / usr / sbin / nologin | |
| 7 | 7 | 7 | 7 | lp | lp | / var / spool / lpd | / usr / sbin / nologin | |

To list all non-system users in your system, run the following query:

  osquery> select * from users where uid <= 1000 limit 3; 

You should get the following output:

 + ----- + ----- + ------------ + ------------ + ---------- + ------------- + ----------- + ------------ ------- + ---- - +
| uid | gid | uid_signed | gid_signed | username | description | directory | must | uuid |
+ ----- + ----- + ------------ + ------------ + ---------- + ------------- + ----------- + ------------------- + ---- - +
| 0 | 0 | 0 | 0 | rot | rot | / root | / bin / bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | / usr / sbin | / usr / sbin / nologin | |
| 2 | 2 | 2 | 2 | compartment | compartment | / bin | / usr / sbin / nologin | |
+ ----- + ----- + ------------ + ------------ + ---------- + ------------- + ----------- + ------------------- + ---- - +

To get the list of currently logged in users, run the following query:

  osquery> select * from log_in_users where type = & # 39; user & # 39 ;; 

You should get the following output:

 + --- --- + ------ + ------- + -------------- + ------------ + --- ---- +
| type | users | tty | Host | time | pid |
+ ------ + ------ + ------- + -------------- + ------------ + ------- +
| users | rot | pts / 0 | 27.61.217.59 | 1587309538 | 19279 |
| users | rot | pts / 1 | 27.61.217.59 | 1587310737 | 25378 |
| users | rot | pts / 2 | 27.61.217.59 | 1587310997 | 25394 |
+ ------ + ------ + ------- + -------------- + ------------ + ------- +

To view the memory information for your system, run the following query:

  osquery> select * from memory_info; 

You should get the following output:

 + ---------- ---- + ------------- + -------- - + ------------ + ------- ------ + ----------- + -------- --- + ------------ + ------ ----- +
| memory_total | memory_free | buffers | cachad | swap_cached | active | inactive | swap_total | swap_free |
+ -------------- + ------------- + ---------- + --------- --- + ------------- + ----------- + ----------- + -------- ---- + ----------- +
| 4138455040 | 2407211008 | 79745024 | 1384751104 | 0 | 556371968 | 954744832 | 0 | 0 |
+ -------------- + ------------- + ---------- + --------- --- + ------------- + ----------- + ----------- + -------- ---- + ----------- +
osquery>

To find the average load for your system, run the following query:

  osquery> select * from load_average; 

You should get the following output: Ads

 + -------- + ------ ---- +
| period | average |
+ -------- + ---------- +
| 1m | 0.000000 |
| 5m | 0.000000 |
| 15m | 0.000000 |
+ -------- + ---------- +
osquery>

To get a list of the first five packages in your system, run the following query:

  osquery> select * from deb_packages top limit 5; 

You should get the following output:

 + ---- --------------- + ------------ + ---- ---------- + ------ + ------- + ---------- +
| name | version | source | size | bow | revision |
+ ------------------- + ------------ + -------------- + - ----- + ------- + ---------- +
| acpi support base | 0.144-8 | acpi support | 43 | all | 8 |
| akpid | 1: 2.0.31-1 | | 146 | amd64 | 1 |
| adduser | 3.118 | | 849 | all | |
| apparmor | 2.13.2-10 | | 1833 | amd64 | 10 |
| apt | 1.8.2 | | 4064 | amd64 | |
+ ------------------- + ------------ + -------------- + - ----- + ------- + ---------- +

For information on running processes in your system, run the following query:

  osquery> SELECT DISTINCT process.name, list_ports.port, process.pid FROM list_ports JOIN processes USE (pid) WHERE list_ports.address = & # 39; 0.0 .0.0 & # 39 ;; 

You should get the following output:

 + ------ + ------ + ----- +
| name | port | pid |
+ ------ + ------ + ----- +
| sshd | 22 | 729 |
+ ------ + ------ + ----- +

To find all previous logins, run the following query:

  osquery> select * from last; 

You should get the following output:

 + ---------- + - ------ + ------- + ------ + --- --------- + -------------- +
| username | tty | pid | type | time | Host |
+ ---------- + ------- + ------- + ------ + ------------ + - - ----------- +
| rot | pts / 0 | 1448 | 7 | 1587365277 | 27.61.217.41 |
| rot | pts / 1 | 13392 | 7 | 1587368569 | 27.61.217.41 |
| | pts / 0 | 1004 | 8 | 1587376329 | |
| | pts / 1 | 13321 | 8 | 1587376821 | |
| | ttyS0 | 748 | 8 | 1587465619 | |
| | tty1 | 749 | 8 | 1587465619 | |
| rot | pts / 0 | 1057 | 7 | 1587465664 | 27.61.217.9 |
| rot | pts / 1 | 1375 | 7 | 1587465846 | 27.61.217.9 |
+ ---------- + ------- + ------- + ------ + ------------ + - - ----------- +

To list all jobs scheduled by crontab run the following query:

  osquery> Select command, path from crontab; 

You should get the following output:

 + ---------------------------------------------------- --------------------- ----------------------------- --------------------- ---------------------------- + ------------------- +
| command | path |
+ ------------------------------------------------- -------------------------------------------------- ------------------------------------- + ------------ ------- +
| root cd / && run-parts - report /etc/cron.hourly | / etc / crontab |
| root test -x / usr / sbin / anacron || (cd / && run-parts - report /etc/cron.daily) | / etc / crontab |
| root test -x / usr / sbin / anacron || (cd / && run-parts - report /etc/cron.weekly) | / etc / crontab |
| root test -x / usr / sbin / anacron || (cd / && run-parts - report /etc/cron.monthly) | / etc / crontab |
| root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +%d) -le 7 ]; then / usr / share / mdadm / checkarray - crron --all - small - silent; fi | /etc/cron.d/mdadm |

To find all open ports in your system run the following query:

  osquery> select * from listen_ports; 

You should get the following output: [19659023] + —— + —— + ———- + ——– + — ——— + – —- + ——– + ————————- ———– —- + ————— +
| pid | port | protocol | family | address | fd | withdrawals | path | net_namespace |
+ —— + —— + ———- + ——– + ———— + – – – + ——– + ————————————- – + ————— +
| 444 | 53 | 6 | 2 | 127.0.0.53 | 13 | 14910 | | 4026531993 |
| 729 | 22 | 6 | 2 | 0.0.0.0 | 3 | 16940 | | 4026531993 |
| 664 | 3306 | 6 | 2 | 127.0.0.1 | 69 | 15824 | | 4026531993 |
| 544 | 6379 | 6 | 2 | 127.0.0.1 | 6 | 15472 | | 4026531993 |
| 729 | 22 | 6 | 10 | :: | 4 | 16951 | | 4026531993 |
| 544 | 6379 | 6 | 10 | :: 1 | 7 | 15473 | | 4026531993 |
| 759 | 80 | 6 | 10 | :: | 4 | 17009 | | 4026531993 |
| 444 | 53 | 17 | 2 | 127.0.0.53 | 12 | 14909 | | 4026531993 |
| 405 | 58 | 255 | 10 | :: | 15 | 16039 | | 4026531993 |

To list the 5 most active processes run the following query:

  osquery> select count (pid) as total, name from processes group by name order by total desc limit 5; 

You should get the following output:

 + ------- + --------- +
| total | name |
+ ------- + --------- +
| 4 | sshd |
| 3 | apache2 |
| 2 | systemd |
| 2 | bash |
| 2 | agetty |
+ ------- + --------- +

Conclusion

In the above tutorial, we learned how to install and use osquery in Debian 10. osquery is a very useful tool for finding any backdoor, malicious software or any zombie process in your system. For more information on osquery, visit the osquery documentation page.


Source link