« Previous 1 2
Keep an eye on your network
Nosy Parker
Speak of the Devil
The other important component of the utility is the osquery daemon, or osqueryd
. It sits in the background and executes scheduled queries. Although osqueryd
is installed along with osqueryi
, it's not enabled by default. For that, it requires a configuration file.
Creating a configuration file also makes it easier to run osqueryi
. Instead of having to pass a lot of command-line options, osqueryi
can read those options from a configuration file. The tool looks for the configuration file at /etc/osquery/osquery.conf
, but it does not ship with one. Instead, you can copy the sample configuration file that's available in /usr/share/osquery/osquery.example.conf
.
The configuration file uses the JSON format. The sample file is commented out by default, and you can uncomment the options you want to enable. You can find the complete list of options and settings in the osquery wiki [3].
The configuration file is divided into three sections, as shown in Listing 1. At the top is the list of daemon options and settings read by both osqueryi
and osqueryd
, followed by a list of scheduled queries and when they should run. At the bottom is a list of query packs that contains more specific queries.
Listing 1
/etc/osquery/osquery.conf
01 { 02 "options": { 03 "host_identifier": "hostname", 04 "config_plugin": "filesystem", 05 "logger_plugin": "filesystem", 06 "logger_path": "/var/log/osquery", 07 "disable_logging": "false", 08 "schedule_splay_percent": 10 09 }, 10 "schedule": { 11 "osquery_profile": { 12 "query": "SELECT * FROM osquery_info;", 13 "interval": 60 14 } 15 }, 16 "packs": { 17 "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf", 18 "it_compliance": "/usr/share/osquery/packs/it-compliance.conf", 19 "incident_response": "/usr/share/osquery/packs/incident-response.conf" 20 } 21 }
I've used several options in the configuration file. The host_identifier
field is used to identify the host running osquery in the logs. Using hostname
simply inserts the hostname of the computer on which the daemon is running. The config_plugin=filesystem
option asks the daemon to retrieve the configuration file from the disk.
Similarly, logger_plugin=filesystem
asks it to write the logs to the filesystem. Related to it is the disable_logging=false
option, which asks the daemon to log its activity, and the logger_path
option, which specifies the location of the log. Lastly, the schedule_splay_percent
option ensures that queries inadvertently scheduled to run after the same intervals don't clash with each other by adjusting their schedules by 10 percent.
Booster Packs
Besides the options, I've also added a query to the configuration. Although I've added just one query to my configuration file (line 12), I have also included three query packs (lines 17-19). Query packs [4] are JSON files that contain additional queries. Think of them as software libraries that you've just imported into the configuration file.
If you want to view or change the queries that will be running from the packs, you'll find them under the /var/osquery/packs
directory. It's a good idea to scan the queries inside packs that you want to use because you might want to change the interval at which a query runs or perhaps even disable some that aren't applicable to your machines.
When you're done, save and close the file and validate it with the command
sudo osqueryctl config-check
Make sure there aren't any errors and double-check to make sure all open fences are closed at the right spot. If you close them early, osqueryctl
will not give any errors, but the config file won't function properly.
If you want to see all of the queries that are scheduled to run from the config, use:
SELECT name FROM osquery_schedule;
This command will display all scheduled queries, including those from the packs.
Now that you have a valid configuration, you can start osqueryd
with either the systemctl
or osqueryctl
helper script, such as:
$ sudo osqueryctl start
As soon as the daemon comes to life, it will create the /var/log/osquery/osqueryd.results.log
file to store the generated results. The results will start showing up as soon as the scheduled queries and packs are run. Unfortunately, osquery does not have an alerting facility, so you can't see the results of scheduled queries unless you view the results file. You can, however, use the tail
command to stream the last 10 lines of the file continuously to your screen:
$ sudo tail -f /var/log/osquery/osqueryd.results.log
Now you can forward the results logs to any external application (e.g., Zentral [5] or Elasticsearch [6]) for log analysis and alert generation.
As you can see, osquery is a powerful tool that's useful for investigating a single or multiple systems using the simple SQL syntax. You can use it to make one-off queries or combine it with a log analysis app for a comprehensive threat-monitoring system.
Infos
- Osquery: http://osquery.io
- Available schemas: https://osquery.io/schema/3.3.2
- Configuration options: https://github.com/facebook/osquery/blob/master/docs/wiki/installation/cli-flags.md
- Query packs: http://osquery.readthedocs.org/en/stable/deployment/configuration/#query-packs
- Zentral: https://github.com/zentralopensource/zentral/wiki
- Osquery module in Elasticsearch: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-osquery.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)