Ubuntu安装osquery试用

安装

实验环境

Ubuntu 16.04

根据官网，debian系使用如下命令安装

sudo mkdir -p /etc/apt/keyrings
curl -L https://pkg.osquery.io/deb/pubkey.gpg | sudo tee /etc/apt/keyrings/osquery.asc
sudo add-apt-repository 'deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.asc] https://pkg.osquery.io/deb deb main'
sudo apt install osquery

add-apt-repository出问题，报错invalid

手动添加到sources.list

deb [arch=amd64] https://pkg.osquery.io/deb deb main

apt update，报错NO_PUBKEY

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 97A80C63C9D8B80B

我们添加以下：（97A80C63C9D8B80B根据上面报错修改）

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 97A80C63C9D8B80B

再执行

apt update
apt install osquery

启动服务

先手动启动看看有无报错

root@ubuntu:~# osqueryd 
W1018 07:21:11.436761  5261 init.cpp:760] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I1018 07:21:11.436888  5261 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I1018 07:21:11.436990  5261 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I1018 07:21:11.437004  5261 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I1018 07:21:11.437013  5261 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration

发现少了conf文件

cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

之后就可以启动啦

root@ubuntu:~# osqueryctl restart
root@ubuntu:~# osqueryctl status
● osqueryd.service - The osquery Daemon
   Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2023-10-18 07:23:06 PDT; 3s ago
  Process: 5740 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
  Process: 5729 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
 Main PID: 5743 (osqueryd)
    Tasks: 14
   Memory: 14.9M
      CPU: 79ms
   CGroup: /system.slice/osqueryd.service
           ├─5743 /opt/osquery/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
           └─5750 /opt/osquery/bin/osqueryd                                                                              

Oct 18 07:23:06 ubuntu systemd[1]: Starting The osquery Daemon...
Oct 18 07:23:06 ubuntu systemd[1]: Started The osquery Daemon.
Oct 18 07:23:06 ubuntu osqueryd[5743]: osqueryd started [version=5.9.1]
Oct 18 07:23:06 ubuntu osqueryd[5743]: I1018 07:23:06.520910  5750 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuratio
Oct 18 07:23:06 ubuntu osqueryd[5743]: I1018 07:23:06.571094  5750 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configurat
Oct 18 07:23:06 ubuntu osqueryd[5743]: I1018 07:23:06.571115  5750 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
Oct 18 07:23:06 ubuntu osqueryd[5743]: I1018 07:23:06.571126  5750 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration

查询

输入osqueryi即可开始查询

查询用户

SELECT * from users;

查询shell登录的用户

SELECT * FROM logged_in_users;

端口

SELECT * FROM listening_ports;
SELECT * FROM listening_ports WHERE port=3389;

内核模块

select name from kernel_modules;

更多的表和结构可以查看

https://osquery.io/schema/5.9.1/

页面可以选择osquery的版本