SELECT * FROM file WHERE path = '/etc/passwd'
Retrieve certificate information using curl and dump json output to shell Osqueryi -json "SELECT * FROM curl_certificate WHERE hostname = ':443' " Show open socket / network connections similar to netstat Retrieve commands from process event table that match filter (audit events) SELECT * FROM process_events WHERE cmd_line LIKE 'nmap%' Show usb, hard drive changes and other hardware state changes SELECT md5 FROM hash WHERE path = '/etc/passwd' SELECT url, round_trip_time, response_code FROM curl WHERE url = '' Įxecute curl and report time / HTTP response code SELECT * FROM deb_packages WHERE name LIKE 'python3%' SELECT hostname, cpu_brand, cpu_physical_cores, cpu_logical_cores, physical_memory FROM system_info Get operating system type, version and architecture | 998 | 100 | 998 | 100 | lxd | | /var/snap/lxd/common/lxd | /bin/false | |Īnother example this time with fields selected and a LIMIT: osquery> select uid, username, directory from users LIMIT 5 | 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | | | 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | | | uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid | In the below query, we get a list of users (example has been snipped). Using SQL (sqlite is the basis for the SQL syntax) queries, we can query tables to gather information about the operating system. Interactive Shell for Immediate Testing (osqueryi)īefore doing any configuration, we can load the interactive shell to perform test queries. ~$ sudo add-apt-repository 'deb deb main'įollowing this installation the /etc/osquery location will be created for configuration files but these will not be populated at this stage. ~$ sudo apt-key adv -keyserver hkp://:80 -recv-keys $OSQUERY_KEY
DATA SETS FOR CYBER OSQUERY UPGRADE
The regular system level apt upgrade will upgrade the package as required in the future.
DATA SETS FOR CYBER OSQUERY INSTALL
It will add the apt repository to the system and install the package. These steps can be used on Debian or Ubuntu based systems. If you are using Fedora or other Linux distros the initial steps are well documented. In this tutorial, we will focus on installation on Ubuntu from the official repository. It has straightforward installation steps for a variety of operating systems and Linux distributions. Originally developed by Facebook, osquery is a well-supported and documented tool.
0 kommentar(er)
