
提供: セキュリティ
移動: 案内検索
(osqueryi が起動しない)
行10: 行10:
[[OS]] ごとに提供されるテーブルが異なるものもありますが、OSに依存せずに情報にアクセスできるのは、魅力の1つです。
[[OS]] ごとに提供されるテーブルが異なるものもありますが、OSに依存せずに情報にアクセスできるのは、魅力の1つです。
== インストール ==
== インストール ==
行206: 行208:
=== FreeBSD ===
=== FreeBSD ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
service osqueryd start
sudo service osqueryd start
== 使い方 ==
== 使い方 ==
=== osqueryi のコマンドラインオプション ===
=== osqueryi のコマンドラインオプション ===
行505: 行508:
=== osqueryi が起動しない ===
=== osqueryi が起動しない ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ osqueryi
$ osqueryi
行510: 行514:
Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.
Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ sudo osqueryi
$ sudo osqueryi
行518: 行522:
=== osquery がスタードできない ===
=== osquery がスタードできない ===
15.04 だと 14系の [[osquery]] は、動かないかもしれない。
15.04 だと 14系の [[osquery]] は、動かないかもしれない。

2015年6月27日 (土) 19:09時点における最新版

osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラクチャの信頼性、コンプライアンスなどの面で、osqueryは、企業内の組織に通知することをゴールとしています。


おーえすくえりー あい


osqueryでは、SQLライクなクエリで、コンピューティングノードの情報にアクセスできます。OS X, Ubuntu, CentOS, FreeBSD などのOSで利用できます。

OS ごとに提供されるテーブルが異なるものもありますが、OSに依存せずに情報にアクセスできるのは、魅力の1つです。





sudo pkg install osquery


sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
sudo yum install osquery
sudo yum isntall https://osquery-packages.s3.amazonaws.com/centos7/osquery-1.4.7.rpm
$ sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm を取得中
警告: /var/tmp/rpm-tmp.PiSfzi: ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY
準備しています...              ################################# [100%]
更新中 / インストール中...
   1:osquery-s3-centos7-repo-1-0.0    ################################# [100%]
$ sudo yum search osquery
読み込んだプラグイン:fastestmirror, langpacks
osquery-s3-centos7-repo                                                             | 3.3 kB  00:00:00     
osquery-s3-centos7-repo/x86_64/primary_db                                           | 5.5 kB  00:00:02     
Loading mirror speeds from cached hostfile
 * base: ftp.tsukuba.wide.ad.jp
 * extras: ftp.tsukuba.wide.ad.jp
 * updates: ftp.tsukuba.wide.ad.jp
======UNIQc20483f438d0cbcc-h-3--QINU==================================== N/S matched: osquery ===========================================
osquery.x86_64 : osquery is an operating system instrumentation toolchain.
osquery-latest.x86_64 : osquery is an operating system instrumentation toolchain. (unstable/latest version)
osquery-s3-centos7-repo.noarch : osquery S3 CentOS 7 RPM Repository
  Name and summary matches only, use "search all" for everything.
$ sudo yum install osquery
読み込んだプラグイン:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: ftp.tsukuba.wide.ad.jp
 * extras: ftp.tsukuba.wide.ad.jp
 * updates: ftp.tsukuba.wide.ad.jp
--> トランザクションの確認を実行しています。
---> パッケージ osquery.x86_64 0:1.4.7-1.el7 を インストール
--> 依存性解決を終了しました。
 Package             アーキテクチャー   バージョン               リポジトリー                         容量
 osquery             x86_64             1.4.7-1.el7              osquery-s3-centos7-repo             4.2 M
インストール  1 パッケージ
総ダウンロード容量: 4.2 M
インストール容量: 13 M
Is this ok [y/d/N]: y
Downloading packages:
ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY
osquery-1.4.7.rpm の公開鍵がインストールされていません
osquery-1.4.7.rpm                                                                   | 4.2 MB  00:00:13     
file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY から鍵を取得中です。
Importing GPG key 0xC9D8B80B:
 Userid     : "osquery (osquery) <osquery@fb.com>"
 Fingerprint: 1484 120a c4e9 f8a1 a577 aeee 97a8 0c63 c9d8 b80b
 Package    : osquery-s3-centos7-repo-1-0.0.noarch (installed)
 From       : /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
上記の処理を行います。よろしいでしょうか? [y/N]y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
警告: RPMDB は yum 以外で変更されました。
  インストール中          : osquery-1.4.7-1.el7.x86_64                                                 1/1 
  検証中                  : osquery-1.4.7-1.el7.x86_64                                                 1/1 
  osquery.x86_64 0:1.4.7-1.el7                                                                             


Ubuntu 14.04 LTS Trusty

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B
sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main"
sudo apt update
sudo apt install osquery
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
--homedir /tmp/tmp.GkVtyeQs09 --no-auto-check-trustdb --trust-model always
--keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
--keyserver keyserver.ubuntu.com --recv-keys C9D8B80B
gpg: requesting key C9D8B80B from hkp server keyserver.ubuntu.com
gpg: key C9D8B80B: public key "osquery (osquery) <osquery@fb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main"





$ rpmquery  osquery
$ rpmquery -l osquery


$ dpkg -L osquery



sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf


sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf



sudo service osqueryd start


sudo service osqueryd start


sudo service osqueryd start


osqueryi のコマンドラインオプション

osquery 1.4.5, your OS as a high-performance relational database
Usage: osqueryi [OPTION]... [SQL STATEMENT]
osquery command line flags:
    --config_plugin VALUE        Config plugin name
    --config_path VALUE          (filesystem) config plugin path to JSON config file
    --config_check               Check the format of an osquery config and exit
    --daemonize                  Run as daemon (osqueryd only)
    --force                      Force osqueryd to kill previously-running daemons
    --pidfile VALUE              Path to the daemon pidfile mutex
    --disable_watchdog           Disable userland watchdog process
    --watchdog_level VALUE       Performance limit level (0=loose, 1=normal, 2=restrictive, 3=debug)
    --schedule_timeout VALUE     Limit the schedule, 0 for no limit
    --disable_extensions         Disable extension API
    --extensions_autoload VALUE  Optional path to a list of autoloaded & managed extensions
    --extensions_interval VALUE  Seconds delay between connectivity checks
    --extensions_socket VALUE    Path to the extensions UNIX domain socket
    --extensions_timeout VALUE   Seconds to wait for autoloaded extensions
    --modules_autoload VALUE     Optional path to a list of autoloaded registry modules
osquery configuration options (set by config or CLI flags):
    --schedule_splay_percent VALUE[2]    20714 abort      osqueryi -h

osqueryi で利用できるコマンド

osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE]       Select all from a table
.bail ON|OFF       Stop after hitting an error; default OFF
.echo ON|OFF       Turn command echo on or off
.exit              Exit this program
.header(s) ON|OFF  Turn display of headers on or off
.help              Show this message
.indices [TABLE]   Show names of all indices
.mode MODE         Set output mode where MODE is one of:
                     csv      Comma-separated values
                     column   Left-aligned columns.  (See .width)
                     line     One value per line
                     list     Values delimited by .separator string
                     pretty   Pretty printed SQL results
.nullvalue STR     Use STRING in place of NULL values
.print STR...      Print literal STRING
.quit              Exit this program
.schema [TABLE]    Show the CREATE statements
.separator STR     Change separator used by output mode and .import
.show              Show the current values for various settings
.tables [TABLE]    List names of tables
.trace FILE|off    Output each SQL statement as it is run
.width [NUM1]+     Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off

osquery のテーブル一覧

.tables でテーブルを確認できます。


osquery> .tables
  => cpuid
  => crontab
  => etc_hosts
  => etc_protocols
  => etc_services
  => file
  => groups
  => hash
  => interface_addresses
  => interface_details
  => listening_ports
  => logged_in_users
  => mounts
  => osquery_extensions
  => osquery_flags
  => osquery_info
  => osquery_registry
  => osquery_schedule
  => shell_history
  => suid_bin
  => time
  => users


osquery> .tables
  => acpi_tables
  => arp_cache
  => block_devices
  => chrome_extensions
  => cpuid
  => crontab
  => disk_encryption
  => etc_hosts
  => etc_protocols
  => etc_services
  => file
  => file_events
  => firefox_addons
  => groups
  => hardware_events
  => hash
  => interface_addresses
  => interface_details
  => iptables
  => kernel_info
  => kernel_integrity
  => kernel_modules
  => last
  => listening_ports
  => logged_in_users
  => memory_map
  => mounts
  => msr
  => opera_extensions
  => os_version
  => osquery_extensions
  => osquery_flags
  => osquery_info
  => osquery_packs
  => osquery_registry
  => osquery_schedule
  => passwd_changes
  => pci_devices
  => process_envs
  => process_memory_map
  => process_open_files
  => process_open_sockets
  => processes
  => routes
  => rpm_package_files
  => rpm_packages
  => shared_memory
  => shell_history
  => smbios_tables
  => suid_bin
  => system_controls
  => time
  => usb_devices
  => user_groups
  => users
  => yara
  => yara_events


osquery> select * from users;
| uid   | gid   | uid_signed | gid_signed | username   | description                    | directory               | shell                          |
| 0     | 0     | 0          | 0          | toor       | Bourne-again Superuser         | /root                   |                                |
| 1     | 1     | 1          | 1          | daemon     | Owner of many system processes | /root                   | /usr/sbin/nologin              |
| 2     | 5     | 2          | 5          | operator   | System &                       | /                       | /usr/sbin/nologin              |
| 3     | 7     | 3          | 7          | bin        | Binaries Commands and Source   | /                       | /usr/sbin/nologin              |
| 4     | 65533 | 4          | 65533      | tty        | Tty Sandbox                    | /                       | /usr/sbin/nologin              |
| 5     | 65533 | 5          | 65533      | kmem       | KMem Sandbox                   | /                       | /usr/sbin/nologin              |
| 7     | 13    | 7          | 13         | games      | Games pseudo-user              | /usr/games              | /usr/sbin/nologin              |
| 8     | 8     | 8          | 8          | news       | News Subsystem                 | /                       | /usr/sbin/nologin              |
| 9     | 9     | 9          | 9          | man        | Mister Man Pages               | /usr/share/man          | /usr/sbin/nologin              |
| 22    | 22    | 22         | 22         | sshd       | Secure Shell Daemon            | /var/empty              | /usr/sbin/nologin              |
| 25    | 25    | 25         | 25         | smmsp      | Sendmail Submission User       | /var/spool/clientmqueue | /usr/sbin/nologin              |
| 26    | 26    | 26         | 26         | mailnull   | Sendmail Default User          | /var/spool/mqueue       | /usr/sbin/nologin              |
| 53    | 53    | 53         | 53         | bind       | Bind Sandbox                   | /                       | /usr/sbin/nologin              |
| 59    | 59    | 59         | 59         | unbound    | Unbound DNS Resolver           | /var/unbound            | /usr/sbin/nologin              |
| 62    | 62    | 62         | 62         | proxy      | Packet Filter pseudo-user      | /nonexistent            | /usr/sbin/nologin              |
| 64    | 64    | 64         | 64         | _pflogd    | pflogd privsep user            | /var/empty              | /usr/sbin/nologin              |
| 65    | 65    | 65         | 65         | _dhcp      | dhcp programs                  | /var/empty              | /usr/sbin/nologin              |
| 66    | 66    | 66         | 66         | uucp       | UUCP pseudo-user               | /var/spool/uucppublic   | /usr/local/libexec/uucp/uucico |
| 68    | 6     | 68         | 6          | pop        | Post Office Owner              | /nonexistent            | /usr/sbin/nologin              |
| 78    | 77    | 78         | 77         | auditdistd | Auditdistd unprivileged user   | /var/empty              | /usr/sbin/nologin              |
| 80    | 80    | 80         | 80         | www        | World Wide Web Owner           | /nonexistent            | /usr/sbin/nologin              |
| 845   | 845   | 845        | 845        | hast       | HAST unprivileged user         | /var/empty              | /usr/sbin/nologin              |
| 65534 | 65534 | 65534      | 65534      | nobody     | Unprivileged user              | /nonexistent            | /usr/sbin/nologin              |
| 1001  | 1001  | 1001       | 1001       | user       | user                           | /home/user              | /bin/tcsh                      |
| 1002  | 1002  | 1002       | 1002       | kaworu     | User &                         | /home/kaworu            | /usr/local/bin/zsh             |
| 964   | 964   | 964        | 964        | git_daemon | git daemon                     | /nonexistent            | /usr/sbin/nologin              |
| 1003  | 1003  | 1003       | 1003       | test       | test                           | /home/test              | /usr/local/bin/zsh             |
| 88    | 88    | 88         | 88         | mysql      | MySQL Daemon                   | /var/db/mysql           | /usr/sbin/nologin              |
| 193   | 193   | 193        | 193        | cups       | Cups Owner                     | /nonexistent            | /usr/sbin/nologin              |
| 556   | 556   | 556        | 556        | messagebus | D-BUS Daemon User              | /nonexistent            | /usr/sbin/nologin              |
| 60    | 60    | 60         | 60         | cyrus      | the cyrus mail server          | /nonexistent            | /usr/sbin/nologin              |
| 601   | 601   | 601        | 601        | _tss       | TrouSerS user                  | /var/empty              | /usr/sbin/nologin              |
| 955   | 955   | 955        | 955        | hdfs       | Hadoop HDFS user               | /nonexistent            | /usr/sbin/nologin              |
| 947   | 955   | 947        | 955        | mapred     | Hadoop MapReduce user          | /nonexistent            | /usr/sbin/nologin              |
| 987   | 987   | 987        | 987        | spark      | Apache Spark user              | /nonexistent            | /usr/sbin/nologin              |



osquery> select * from interface_details where interface = 'em0';
| interface | mac               | type | mtu  | metric | ipackets | opackets | ibytes   | obytes   | ierrors | oerrors | last_change |
| em0       | 00:0c:29:cb:15:e1 | 6    | 1500 | 0      | 77076    | 42882    | 51203175 | 11475006 | 0       | 0       | 1435314738  |


osquery> select * from etc_services limit 3;
| name   | port | protocol | aliases | comment                            |
| rtmp   | 1    | ddp      |         | Routing Table Maintenance Protocol |
| tcpmux | 1    | tcp      |         | TCP Port Service Multiplexer       |
| tcpmux | 1    | udp      |         | TCP Port Service Multiplexer       |



osquery> select * from rpm_packages limit 10;
| name                    | version  | release | source                                   | size     | sha1                                     | arch   |
| fontpackages-filesystem | 1.44     | 8.el7   | fontpackages-1.44-8.el7.src.rpm          | 0        | 606b81d031584ec3a5e408c0f57eed92cfb911e4 | noarch |
| liberation-fonts-common | 1.07.2   | 14.el7  | liberation-fonts-1.07.2-14.el7.src.rpm   | 75627    | 43e22b24a8dd1b3986a1d35d5d5bb647b1f11fe9 | noarch |
| gnu-free-fonts-common   | 20120503 | 8.el7   | gnu-free-fonts-20120503-8.el7.src.rpm    | 502617   | 10f691325c2bdb50784584ff6e13782d51f36d70 | noarch |
| dejavu-fonts-common     | 2.33     | 6.el7   | dejavu-fonts-2.33-6.el7.src.rpm          | 130455   | 78512b0f7d249b5fbf7063c3acc422c6337535fc | noarch |
| filesystem              | 3.2      | 18.el7  | filesystem-3.2-18.el7.src.rpm            | 0        | 1d1e024704dd5947b3fff1fb67cd0d55faac8d04 | x86_64 |
| telepathy-filesystem    | 0.0.2    | 6.el7   | telepathy-filesystem-0.0.2-6.el7.src.rpm | 0        | 9b481ff6695ad8db6895d7eb96ddbc8eb3821d3c | noarch |
| xkeyboard-config        | 2.9      | 4.el7   | xkeyboard-config-2.9-4.el7.src.rpm       | 5046316  | 9afd2f7c4a4c3ca4b83ce23eb689e0f0a7fad2a9 | noarch |
| poppler-data            | 0.4.6    | 3.el7   | poppler-data-0.4.6-3.el7.src.rpm         | 12013394 | 183304ef68ec9677c31440a708a3faad58f73716 | noarch |
| langtable               | 0.0.13   | 4.el7   | langtable-0.0.13-4.el7.src.rpm           | 103216   | 127cfc656f7ca4e689e1c6812b749e45302b0a02 | noarch |
| langtable-data          | 0.0.13   | 4.el7   | langtable-0.0.13-4.el7.src.rpm           | 574961   | f0ccedca37e0a4b8dc4b39e8d5cc0a6556a41596 | noarch |


osquery> select * from logged_in_users;
| user     | tty   | host                      | time       | pid   |
| reboot   | ~     | 3.10.0-123.8.1.el7.x86_64 | 1414068716 | 0     |
| kaworu   | :0    | :0                        | 1414069657 | 15854 |
| runlevel | ~     | 3.10.0-123.8.1.el7.x86_64 | 1414068814 | 53    |
| kaworu   | pts/0 | :0                        | 1414285551 | 19452 |


osquery> select * from listening_ports;
| pid | port  | protocol | family | address   |
| -1  | 25    | 6        | 2      | |
| -1  | 42048 | 6        | 2      |   |
| -1  | 111   | 6        | 2      |   |
| -1  | 22    | 6        | 2      |   |
| -1  | 631   | 6        | 2      | |
| -1  | 25    | 6        | 10     | ::1       |
| -1  | 54475 | 6        | 10     | ::        |
| -1  | 111   | 6        | 10     | ::        |
| -1  | 22    | 6        | 10     | ::        |
| -1  | 631   | 6        | 10     | ::1       |
| -1  | 985   | 17       | 2      |   |
| -1  | 26105 | 17       | 2      |   |
| -1  | 68    | 17       | 2      |   |
| -1  | 111   | 17       | 2      |   |
| -1  | 123   | 17       | 2      |   |
| -1  | 45189 | 17       | 2      |   |
| -1  | 56472 | 17       | 2      |   |
| -1  | 5353  | 17       | 2      |   |
| -1  | 804   | 17       | 2      | |
| -1  | 323   | 17       | 2      | |
| -1  | 2997  | 17       | 10     | ::        |
| -1  | 985   | 17       | 10     | ::        |
| -1  | 111   | 17       | 10     | ::        |
| -1  | 123   | 17       | 10     | ::        |
| -1  | 55063 | 17       | 10     | ::        |
| -1  | 323   | 17       | 10     | ::1       |
| -1  | 58    | 255      | 10     | ::        |
| -1  | 0     | 0        | 0      |           |


ログファイルは、/var/log/osquery のディレクトリに格納されます。

osqueryd.results.log に json フォーマットでログイングされます。


LogStash や Splunk と連携することもできます。


osqueryd が起動しない

pid ファイルがあるときに、osqueryd が起動しませんでした。pid ファイルを削除すると動作します。

sudo rm /var/run/osqueryd.pid

osqueryi が起動しない


$ osqueryi
E0626 19:42:41.068462 92300288 init.cpp:290] osqueryi initialize failed: Could not create DB handle
Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.


$ sudo osqueryi
osquery - being built, with love, at Facebook
Using a virtual database. Need help, type '.help'

osquery がスタードできない

15.04 だと 14系の osquery は、動かないかもしれない。

$ sudo service osquery start
Job for osqueryd.service failed. See "systemctl status osqueryd.service" and "journalctl -xe" for details.


15.04 だと 14系の osquery は、動かないかもしれない。

osqueryi: error while loading shared libraries: libgcrypt.so.11: cannot open
shared object file: No such file or directory
