This post is about OSQuery system information.
Introduction
osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. For example, with osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes.
Installing osquery
Source binaries can create a ‘universal’ Linux package for each package distribution system. These packages contain the osquery daemon, shell, example configuration, and startup scripts.
So, The default packages create the following structure:
# dnf install https://osquery-packages.s3.us-east-1.amazonaws.com/rpm/osquery-5.2.2-1.linux.x86_64.rpm -yOr by using the repository
# curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# yum-config-manager --enable osquery-s3-rpm-repo
# dnf install osquery -yRunning osquery
osqueryi is done not need an osquery server or service.
After exploring the rest of the documentation, you should understand the basics of configuration and logging. These and most other concepts apply to osqueryd, the daemon, too. So, to start the use systemctl daemon:
# cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
# systemctl start osquerydCommand-line flags
To start a standalone osquery, use: osqueryi is done not need an osquery server or service.
After exploring the rest of the documentation, you should understand the basics of configuration and logging. These and most other concepts apply to osqueryd, the daemon, too. To start the daemon:
The osquery shell and daemon use optional command-line (CLI) flags to control initialization, disable/enable features, and select plugins. These flags are powered by Google Flags and are somewhat complicated. Understanding how banners work in osquery will help with stability and significantly reduce issue debugging time.
Most flags apply to both tools, osqueryi, and osqueryd. The shell contains a few more to help with printing and other helpful one-off modes of operation. Expect Linux, macOS, and Windows to include platform-specific flags too. Most platform-specific flags will control the OS API and library integrations used by osquery. Warning, this list is still not the ‘complete set’ of flags. Refer to the techniques below for obtaining ground truth and check other components of this Wiki.
Flags that do not control startup settings may be included as “options” within the configuration. Essentially, any flag needed to help osquery determine and discover a structure must be supplied via command-line arguments. Google Flags enhances this to allow flags to be set within environment variables or via a “master” flag file.
# osqueryi
osquery> SELECT * FROM osquery_flags;To see the flags that have been updated by your configuration, a flag file, or by the shell try:
# osquery> SELECT * FROM osquery_flags WHERE default_value <> value;Os version query
# osquery> select * from os_version;
+--------------+-------+-------+-------+-------+
| name | major | minor | patch | build |
+--------------+-------+-------+-------+-------+
| CentOS Linux | 8 | 5 | 2111 | |
+--------------+-------+-------+-------+-------+System info query
# osquery> select hostname, cpu_brand, hardware_vendor, +---------------+-------------------------------------------+-----------------+----------------+
| hostname | cpu_brand | hardware_vendor | hardware_model |
+---------------+-------------------------------------------+-----------------+----------------+
| node1.unixcop | Intel(R) v3 @ 2.60GHz | Red Hat | VirtualBox |
+---------------+-------------------------------------------+-----------------+----------------+So, this is the Users Info query
# osquery> select uid, gid, username, shell from users where uid >= 1001;
+------+------+----------+-----------+
| uid | gid | username | shell |
+------+------+----------+-----------+
| 1001 | 1001 | unix | /bin/bash |
| 1002 | 1002 | redhat | /bin/bash |
| 1003 | 1003 | centos | /bin/bash |
+------+------+----------+-----------+ CPU info query
osquery> select * from cpu_time;
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+
| core | user | nice | system | idle | iowait | irq | softirq | steal | guest | guest_nice |
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+
| 0 | 685 | 0 | 456 | 498134 | 4 | 0 | 12 | 4 | 0 | 0 |
| 1 | 4502 | 0 | 2263 | 494858 | 10 | 0 | 4 | 2 | 0 | 0 |
| 2 | 1189 | 0 | 887 | 497573 | 18 | 0 | 0 | 33 | 0 | 0 |
| 3 | 2100 | 0 | 2033 | 497503 | 7 | 0 | 0 | 2 | 0 | 0 |
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+
