Nosy Parker

Speak of the Devil

The other important component of the utility is the osquery daemon, or osqueryd. It sits in the background and executes scheduled queries. Although osqueryd is installed along with osqueryi, it's not enabled by default. For that, it requires a configuration file.

Creating a configuration file also makes it easier to run osqueryi. Instead of having to pass a lot of command-line options, osqueryi can read those options from a configuration file. The tool looks for the configuration file at /etc/osquery/osquery.conf, but it does not ship with one. Instead, you can copy the sample configuration file that's available in /usr/share/osquery/osquery.example.conf.

The configuration file uses the JSON format. The sample file is commented out by default, and you can uncomment the options you want to enable. You can find the complete list of options and settings in the osquery wiki [3].

The configuration file is divided into three sections, as shown in Listing 1. At the top is the list of daemon options and settings read by both osqueryi and osqueryd, followed by a list of scheduled queries and when they should run. At the bottom is a list of query packs that contains more specific queries.

01 {
02  "options": {
03     "host_identifier": "hostname",
04     "config_plugin": "filesystem",
05     "logger_plugin": "filesystem",
06     "logger_path": "/var/log/osquery",
07     "disable_logging": "false",
08     "schedule_splay_percent": 10
09  },
10  "schedule": {
11     "osquery_profile": {
12         "query": "SELECT * FROM osquery_info;",
13         "interval": 60
14     }
15  },
16  "packs": {
17     "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
18     "it_compliance": "/usr/share/osquery/packs/it-compliance.conf",
19     "incident_response": "/usr/share/osquery/packs/incident-response.conf"
20  }
21 }

I've used several options in the configuration file. The host_identifier field is used to identify the host running osquery in the logs. Using hostname simply inserts the hostname of the computer on which the daemon is running. The config_plugin=filesystem option asks the daemon to retrieve the configuration file from the disk.

Similarly, logger_plugin=filesystem asks it to write the logs to the filesystem. Related to it is the disable_logging=false option, which asks the daemon to log its activity, and the logger_path option, which specifies the location of the log. Lastly, the schedule_splay_percent option ensures that queries inadvertently scheduled to run after the same intervals don't clash with each other by adjusting their schedules by 10 percent.

Booster Packs

Besides the options, I've also added a query to the configuration. Although I've added just one query to my configuration file (line 12), I have also included three query packs (lines 17-19). Query packs [4] are JSON files that contain additional queries. Think of them as software libraries that you've just imported into the configuration file.

If you want to view or change the queries that will be running from the packs, you'll find them under the /var/osquery/packs directory. It's a good idea to scan the queries inside packs that you want to use because you might want to change the interval at which a query runs or perhaps even disable some that aren't applicable to your machines.

When you're done, save and close the file and validate it with the command

sudo osqueryctl config-check

Make sure there aren't any errors and double-check to make sure all open fences are closed at the right spot. If you close them early, osqueryctl will not give any errors, but the config file won't function properly.

If you want to see all of the queries that are scheduled to run from the config, use:

SELECT name FROM osquery_schedule;

This command will display all scheduled queries, including those from the packs.

Now that you have a valid configuration, you can start osqueryd with either the systemctl or osqueryctl helper script, such as:

$ sudo osqueryctl start

As soon as the daemon comes to life, it will create the /var/log/osquery/osqueryd.results.log file to store the generated results. The results will start showing up as soon as the scheduled queries and packs are run. Unfortunately, osquery does not have an alerting facility, so you can't see the results of scheduled queries unless you view the results file. You can, however, use the tail command to stream the last 10 lines of the file continuously to your screen:

$ sudo tail -f /var/log/osquery/osqueryd.results.log

Now you can forward the results logs to any external application (e.g., Zentral [5] or Elasticsearch [6]) for log analysis and alert generation.

As you can see, osquery is a powerful tool that's useful for investigating a single or multiple systems using the simple SQL syntax. You can use it to make one-off queries or combine it with a log analysis app for a comprehensive threat-monitoring system.