Lead Image © damedeeso, 123RF.com
Keep an eye on your network
Nosy Parker
A Linux installation has many tools to query different aspects of the system. Some tools, like top and ps, give a nice overview, whereas others, like ip, interface directly with the kernel. The number of tools at your disposal quickly multiplies if you manage a network with various operating systems, and, while having access to several utilities sounds like a good thing, juggling them and their respective syntax is quite bothersome.
If you crave a unified interface for querying the different aspects of the operating system, you need osquery. Osquery [1] is a cross-platform open source tool originally created by Facebook that, as its name suggests, is designed to query various details about the state of your machines.
The osquery tool works across Linux, Windows, and macOS and exposes operating system configuration data in the form of relational database tables. In other words, osquery turns a Linux installation into one giant database, with tables that you can query using SQL-like statements. With these queries, you can check on running processes, loaded kernel modules, and active user accounts, and you can even monitor file integrity, check the status and configuration of the firewall, perform security audits of the target server, and lots more. The tool uses a high level of the SQLite dialect, which isn't too difficult to grasp, even for those unfamiliar with SQL.
Loaded Question
Although osquery won't be available in your distribution's official repositories, installing it isn't much of an issue. The tool is available as a source tarball along with pre-packed binaries for RPM- and DEB-based distributions. You can also install it by adding its repository for your respective distribution. In this tutorial, I'll install osquery on top of a CentOS 7 installation.
If this is a pristine
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Turning machine state into a database
Learn how the osquery tool exposes system state in searchable form. -
Incident response with Velociraptor
The software incarnation of the feared predator in the Jurassic Park movies has been on the hunt for clues to cyberattacks and indicators of compromise. We show you how to tame the beast and use it for your own purposes. -
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Checking your endpoints with Stethoscope
Intruders slip in when end users get sloppy. Check the health of your endpoint devices with Stethoscope. -
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
