「osquery」の版間の差分
提供: セキュリティ
行7: | 行7: | ||
== 概要 == | == 概要 == | ||
− | [[osquery]] | + | [[osquery]]では、SQLライクなクエリで、コンピューティングノードの情報にアクセスできます。OS X, [[Ubuntu]], [[CentOS]], [[FreeBSD]] などのOSで利用できます。 |
+ | [[OS]] ごとに提供されるテーブルが異なるものもありますが、OSに依存せずに情報にアクセスできるのは、魅力の1つです。 | ||
== インストール == | == インストール == | ||
{{pkg|osquery}} | {{pkg|osquery}} | ||
+ | === CentOS === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm | ||
+ | sudo yum install osquery | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo yum isntall https://osquery-packages.s3.amazonaws.com/centos7/osquery-1.4.7.rpm | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | $ sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm | ||
+ | https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm を取得中 | ||
+ | 警告: /var/tmp/rpm-tmp.PiSfzi: ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY | ||
+ | 準備しています... ################################# [100%] | ||
+ | 更新中 / インストール中... | ||
+ | 1:osquery-s3-centos7-repo-1-0.0 ################################# [100%] | ||
+ | $ sudo yum search osquery | ||
+ | |||
+ | 読み込んだプラグイン:fastestmirror, langpacks | ||
+ | osquery-s3-centos7-repo | 3.3 kB 00:00:00 | ||
+ | osquery-s3-centos7-repo/x86_64/primary_db | 5.5 kB 00:00:02 | ||
+ | Loading mirror speeds from cached hostfile | ||
+ | * base: ftp.tsukuba.wide.ad.jp | ||
+ | * extras: ftp.tsukuba.wide.ad.jp | ||
+ | * updates: ftp.tsukuba.wide.ad.jp | ||
+ | ========================================== N/S matched: osquery =========================================== | ||
+ | osquery.x86_64 : osquery is an operating system instrumentation toolchain. | ||
+ | osquery-latest.x86_64 : osquery is an operating system instrumentation toolchain. (unstable/latest version) | ||
+ | osquery-s3-centos7-repo.noarch : osquery S3 CentOS 7 RPM Repository | ||
+ | |||
+ | Name and summary matches only, use "search all" for everything. | ||
+ | $ sudo yum install osquery | ||
+ | 読み込んだプラグイン:fastestmirror, langpacks | ||
+ | Loading mirror speeds from cached hostfile | ||
+ | * base: ftp.tsukuba.wide.ad.jp | ||
+ | * extras: ftp.tsukuba.wide.ad.jp | ||
+ | * updates: ftp.tsukuba.wide.ad.jp | ||
+ | 依存性の解決をしています | ||
+ | --> トランザクションの確認を実行しています。 | ||
+ | ---> パッケージ osquery.x86_64 0:1.4.7-1.el7 を インストール | ||
+ | --> 依存性解決を終了しました。 | ||
+ | |||
+ | 依存性を解決しました | ||
+ | |||
+ | =========================================================================================================== | ||
+ | Package アーキテクチャー バージョン リポジトリー 容量 | ||
+ | =========================================================================================================== | ||
+ | インストール中: | ||
+ | osquery x86_64 1.4.7-1.el7 osquery-s3-centos7-repo 4.2 M | ||
+ | |||
+ | トランザクションの要約 | ||
+ | =========================================================================================================== | ||
+ | インストール 1 パッケージ | ||
+ | |||
+ | 総ダウンロード容量: 4.2 M | ||
+ | インストール容量: 13 M | ||
+ | Is this ok [y/d/N]: y | ||
+ | Downloading packages: | ||
+ | 警告: | ||
+ | /var/cache/yum/x86_64/7/osquery-s3-centos7-repo/packages/osquery-1.4.7.rpm: | ||
+ | ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY | ||
+ | osquery-1.4.7.rpm の公開鍵がインストールされていません | ||
+ | osquery-1.4.7.rpm | 4.2 MB 00:00:13 | ||
+ | file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY から鍵を取得中です。 | ||
+ | Importing GPG key 0xC9D8B80B: | ||
+ | Userid : "osquery (osquery) <osquery@fb.com>" | ||
+ | Fingerprint: 1484 120a c4e9 f8a1 a577 aeee 97a8 0c63 c9d8 b80b | ||
+ | Package : osquery-s3-centos7-repo-1-0.0.noarch (installed) | ||
+ | From : /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY | ||
+ | 上記の処理を行います。よろしいでしょうか? [y/N]y | ||
+ | Running transaction check | ||
+ | Running transaction test | ||
+ | Transaction test succeeded | ||
+ | Running transaction | ||
+ | 警告: RPMDB は yum 以外で変更されました。 | ||
+ | インストール中 : osquery-1.4.7-1.el7.x86_64 1/1 | ||
+ | 検証中 : osquery-1.4.7-1.el7.x86_64 1/1 | ||
+ | |||
+ | インストール: | ||
+ | osquery.x86_64 0:1.4.7-1.el7 | ||
+ | |||
+ | 完了しました! | ||
+ | </syntaxhighlight> | ||
+ | === Ubuntu === | ||
+ | ==== Ubuntu 14.04 LTS Trusty ==== | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B | ||
+ | sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main" | ||
+ | sudo apt update | ||
+ | sudo apt install osquery | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B | ||
+ | Executing: gpg --ignore-time-conflict --no-options --no-default-keyring | ||
+ | --homedir /tmp/tmp.GkVtyeQs09 --no-auto-check-trustdb --trust-model always | ||
+ | --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg | ||
+ | --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B | ||
+ | gpg: requesting key C9D8B80B from hkp server keyserver.ubuntu.com | ||
+ | gpg: key C9D8B80B: public key "osquery (osquery) <osquery@fb.com>" imported | ||
+ | gpg: Total number processed: 1 | ||
+ | gpg: imported: 1 (RSA: 1) | ||
+ | $ sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main" | ||
+ | </syntaxhighlight> | ||
== ファイルリスト一覧 == | == ファイルリスト一覧 == | ||
+ | === FreeBSD === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
osquery-1.4.5_2: | osquery-1.4.5_2: | ||
行40: | 行147: | ||
/usr/local/share/licenses/osquery-1.4.5_2/LICENSE | /usr/local/share/licenses/osquery-1.4.5_2/LICENSE | ||
/usr/local/share/licenses/osquery-1.4.5_2/catalog.mk | /usr/local/share/licenses/osquery-1.4.5_2/catalog.mk | ||
+ | </syntaxhighlight> | ||
+ | === CentOS === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | $ rpmquery osquery | ||
+ | osquery-1.4.7-1.el7.x86_64 | ||
+ | $ rpmquery -l osquery | ||
+ | /etc/init.d/osqueryd | ||
+ | /etc/osquery | ||
+ | /usr/bin/osqueryctl | ||
+ | /usr/bin/osqueryd | ||
+ | /usr/bin/osqueryi | ||
+ | /usr/share/osquery/osquery.example.conf | ||
+ | /var/log/osquery | ||
+ | /var/osquery | ||
+ | </syntaxhighlight> | ||
+ | === Ubuntu === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | $ dpkg -L osquery | ||
+ | /. | ||
+ | /usr | ||
+ | /usr/bin | ||
+ | /usr/bin/osqueryd | ||
+ | /usr/bin/osqueryctl | ||
+ | /usr/bin/osqueryi | ||
+ | /usr/share | ||
+ | /usr/share/osquery | ||
+ | /usr/share/osquery/osquery.example.conf | ||
+ | /usr/share/doc | ||
+ | /usr/share/doc/osquery | ||
+ | /usr/share/doc/osquery/changelog.Debian.gz | ||
+ | /var | ||
+ | /var/osquery | ||
+ | /var/log | ||
+ | /var/log/osquery | ||
+ | /etc | ||
+ | /etc/osquery | ||
+ | /etc/init.d | ||
+ | /etc/init.d/osqueryd | ||
+ | </syntaxhighlight> | ||
+ | == セットアップ == | ||
+ | === CentOS === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf | ||
+ | </syntaxhighlight> | ||
+ | === Ubuntu === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== osquerydの起動 == | == osquerydの起動 == | ||
+ | === Ubuntu === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo service osqueryd start | ||
+ | </syntaxhighlight> | ||
+ | === CentOS === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo service osqueryd start | ||
+ | </syntaxhighlight> | ||
=== FreeBSD === | === FreeBSD === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
行103: | 行265: | ||
.width [NUM1]+ Set column widths for "column" mode | .width [NUM1]+ Set column widths for "column" mode | ||
.timer ON|OFF Turn the CPU timer measurement on or off | .timer ON|OFF Turn the CPU timer measurement on or off | ||
+ | </syntaxhighlight> | ||
+ | === osquery のテーブル一覧 === | ||
+ | .tables でテーブルを確認できます。 | ||
+ | |||
+ | FreeBSDのテーブルは、以下の通りです。 | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osquery> .tables | ||
+ | => cpuid | ||
+ | => crontab | ||
+ | => etc_hosts | ||
+ | => etc_protocols | ||
+ | => etc_services | ||
+ | => file | ||
+ | => groups | ||
+ | => hash | ||
+ | => interface_addresses | ||
+ | => interface_details | ||
+ | => listening_ports | ||
+ | => logged_in_users | ||
+ | => mounts | ||
+ | => osquery_extensions | ||
+ | => osquery_flags | ||
+ | => osquery_info | ||
+ | => osquery_registry | ||
+ | => osquery_schedule | ||
+ | => shell_history | ||
+ | => suid_bin | ||
+ | => time | ||
+ | => users | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | CentOSのテーブルは、以下の通りです。 | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osquery> .tables | ||
+ | => acpi_tables | ||
+ | => arp_cache | ||
+ | => block_devices | ||
+ | => chrome_extensions | ||
+ | => cpuid | ||
+ | => crontab | ||
+ | => disk_encryption | ||
+ | => etc_hosts | ||
+ | => etc_protocols | ||
+ | => etc_services | ||
+ | => file | ||
+ | => file_events | ||
+ | => firefox_addons | ||
+ | => groups | ||
+ | => hardware_events | ||
+ | => hash | ||
+ | => interface_addresses | ||
+ | => interface_details | ||
+ | => iptables | ||
+ | => kernel_info | ||
+ | => kernel_integrity | ||
+ | => kernel_modules | ||
+ | => last | ||
+ | => listening_ports | ||
+ | => logged_in_users | ||
+ | => memory_map | ||
+ | => mounts | ||
+ | => msr | ||
+ | => opera_extensions | ||
+ | => os_version | ||
+ | => osquery_extensions | ||
+ | => osquery_flags | ||
+ | => osquery_info | ||
+ | => osquery_packs | ||
+ | => osquery_registry | ||
+ | => osquery_schedule | ||
+ | => passwd_changes | ||
+ | => pci_devices | ||
+ | => process_envs | ||
+ | => process_memory_map | ||
+ | => process_open_files | ||
+ | => process_open_sockets | ||
+ | => processes | ||
+ | => routes | ||
+ | => rpm_package_files | ||
+ | => rpm_packages | ||
+ | => shared_memory | ||
+ | => shell_history | ||
+ | => smbios_tables | ||
+ | => suid_bin | ||
+ | => system_controls | ||
+ | => time | ||
+ | => usb_devices | ||
+ | => user_groups | ||
+ | => users | ||
+ | => yara | ||
+ | => yara_events | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== ユーザを調べる === | === ユーザを調べる === | ||
行168: | 行421: | ||
+--------+------+----------+---------+------------------------------------+ | +--------+------+----------+---------+------------------------------------+ | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | === パッケージを調べる === | ||
+ | CentOS | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osquery> | ||
+ | osquery> select * from rpm_packages limit 10; | ||
+ | +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+ | ||
+ | | name | version | release | source | size | sha1 | arch | | ||
+ | +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+ | ||
+ | | fontpackages-filesystem | 1.44 | 8.el7 | fontpackages-1.44-8.el7.src.rpm | 0 | 606b81d031584ec3a5e408c0f57eed92cfb911e4 | noarch | | ||
+ | | liberation-fonts-common | 1.07.2 | 14.el7 | liberation-fonts-1.07.2-14.el7.src.rpm | 75627 | 43e22b24a8dd1b3986a1d35d5d5bb647b1f11fe9 | noarch | | ||
+ | | gnu-free-fonts-common | 20120503 | 8.el7 | gnu-free-fonts-20120503-8.el7.src.rpm | 502617 | 10f691325c2bdb50784584ff6e13782d51f36d70 | noarch | | ||
+ | | dejavu-fonts-common | 2.33 | 6.el7 | dejavu-fonts-2.33-6.el7.src.rpm | 130455 | 78512b0f7d249b5fbf7063c3acc422c6337535fc | noarch | | ||
+ | | filesystem | 3.2 | 18.el7 | filesystem-3.2-18.el7.src.rpm | 0 | 1d1e024704dd5947b3fff1fb67cd0d55faac8d04 | x86_64 | | ||
+ | | telepathy-filesystem | 0.0.2 | 6.el7 | telepathy-filesystem-0.0.2-6.el7.src.rpm | 0 | 9b481ff6695ad8db6895d7eb96ddbc8eb3821d3c | noarch | | ||
+ | | xkeyboard-config | 2.9 | 4.el7 | xkeyboard-config-2.9-4.el7.src.rpm | 5046316 | 9afd2f7c4a4c3ca4b83ce23eb689e0f0a7fad2a9 | noarch | | ||
+ | | poppler-data | 0.4.6 | 3.el7 | poppler-data-0.4.6-3.el7.src.rpm | 12013394 | 183304ef68ec9677c31440a708a3faad58f73716 | noarch | | ||
+ | | langtable | 0.0.13 | 4.el7 | langtable-0.0.13-4.el7.src.rpm | 103216 | 127cfc656f7ca4e689e1c6812b749e45302b0a02 | noarch | | ||
+ | | langtable-data | 0.0.13 | 4.el7 | langtable-0.0.13-4.el7.src.rpm | 574961 | f0ccedca37e0a4b8dc4b39e8d5cc0a6556a41596 | noarch | | ||
+ | +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+ | ||
+ | </syntaxhighlight> | ||
+ | === ログインユーザを調べる === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osquery> select * from logged_in_users; | ||
+ | +----------+-------+---------------------------+------------+-------+ | ||
+ | | user | tty | host | time | pid | | ||
+ | +----------+-------+---------------------------+------------+-------+ | ||
+ | | reboot | ~ | 3.10.0-123.8.1.el7.x86_64 | 1414068716 | 0 | | ||
+ | | kaworu | :0 | :0 | 1414069657 | 15854 | | ||
+ | | runlevel | ~ | 3.10.0-123.8.1.el7.x86_64 | 1414068814 | 53 | | ||
+ | | kaworu | pts/0 | :0 | 1414285551 | 19452 | | ||
+ | +----------+-------+---------------------------+------------+-------+ | ||
+ | </syntaxhighlight> | ||
+ | === リスニングポートを調べる === | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osquery> select * from listening_ports; | ||
+ | +-----+-------+----------+--------+-----------+ | ||
+ | | pid | port | protocol | family | address | | ||
+ | +-----+-------+----------+--------+-----------+ | ||
+ | | -1 | 25 | 6 | 2 | 127.0.0.1 | | ||
+ | | -1 | 42048 | 6 | 2 | 0.0.0.0 | | ||
+ | | -1 | 111 | 6 | 2 | 0.0.0.0 | | ||
+ | | -1 | 22 | 6 | 2 | 0.0.0.0 | | ||
+ | | -1 | 631 | 6 | 2 | 127.0.0.1 | | ||
+ | | -1 | 25 | 6 | 10 | ::1 | | ||
+ | | -1 | 54475 | 6 | 10 | :: | | ||
+ | | -1 | 111 | 6 | 10 | :: | | ||
+ | | -1 | 22 | 6 | 10 | :: | | ||
+ | | -1 | 631 | 6 | 10 | ::1 | | ||
+ | | -1 | 985 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 26105 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 68 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 111 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 123 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 45189 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 56472 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 5353 | 17 | 2 | 0.0.0.0 | | ||
+ | | -1 | 804 | 17 | 2 | 127.0.0.1 | | ||
+ | | -1 | 323 | 17 | 2 | 127.0.0.1 | | ||
+ | | -1 | 2997 | 17 | 10 | :: | | ||
+ | | -1 | 985 | 17 | 10 | :: | | ||
+ | | -1 | 111 | 17 | 10 | :: | | ||
+ | | -1 | 123 | 17 | 10 | :: | | ||
+ | | -1 | 55063 | 17 | 10 | :: | | ||
+ | | -1 | 323 | 17 | 10 | ::1 | | ||
+ | | -1 | 58 | 255 | 10 | :: | | ||
+ | | -1 | 0 | 0 | 0 | | | ||
+ | +-----+-------+----------+--------+-----------+ | ||
+ | </syntaxhighlight> | ||
+ | == ログのディレクトリやファイル == | ||
+ | ログファイルは、/var/log/osquery のディレクトリに格納されます。 | ||
+ | |||
+ | osqueryd.results.log に json フォーマットでログイングされます。 | ||
+ | == ログの収集 == | ||
+ | LogStash や [[Splunk]] と連携することもできます。 | ||
+ | * LogStash | ||
+ | * [[Splunk]] | ||
+ | * Fluentd | ||
== エラー == | == エラー == | ||
+ | === osqueryd が起動しない === | ||
+ | pid ファイルがあるときに、osqueryd が起動しませんでした。pid ファイルを削除すると動作します。 | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | sudo rm /var/run/osqueryd.pid | ||
+ | </syntaxhighlight> | ||
+ | === osqueryi が起動しない === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ osqueryi | $ osqueryi | ||
行181: | 行517: | ||
Using a virtual database. Need help, type '.help' | Using a virtual database. Need help, type '.help' | ||
osquery> | osquery> | ||
+ | </syntaxhighlight> | ||
+ | === osquery がスタードできない === | ||
+ | 15.04 だと 14系の [[osquery]] は、動かないかもしれない。 | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | $ sudo service osquery start | ||
+ | Job for osqueryd.service failed. See "systemctl status osqueryd.service" and "journalctl -xe" for details. | ||
+ | </syntaxhighlight> | ||
+ | === osqueryi === | ||
+ | 15.04 だと 14系の [[osquery]] は、動かないかもしれない。 | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | osqueryi: error while loading shared libraries: libgcrypt.so.11: cannot open | ||
+ | shared object file: No such file or directory | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== 関連項目 == | == 関連項目 == |
2015年6月27日 (土) 19:01時点における版
osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラクチャの信頼性、コンプライアンスなどの面で、osqueryは、企業内の組織に通知することをゴールとしています。
読み方
- osquery
- おーえすくえりー
- osqueryi
- おーえすくえりー あい
概要
osqueryでは、SQLライクなクエリで、コンピューティングノードの情報にアクセスできます。OS X, Ubuntu, CentOS, FreeBSD などのOSで利用できます。
OS ごとに提供されるテーブルが異なるものもありますが、OSに依存せずに情報にアクセスできるのは、魅力の1つです。
インストール
FreeBSDにインストールする場合
pkgコマンドでインストールする場合
sudo pkg install osquery
CentOS
sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm sudo yum install osquery
sudo yum isntall https://osquery-packages.s3.amazonaws.com/centos7/osquery-1.4.7.rpm
$ sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm を取得中 警告: /var/tmp/rpm-tmp.PiSfzi: ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY 準備しています... ################################# [100%] 更新中 / インストール中... 1:osquery-s3-centos7-repo-1-0.0 ################################# [100%] $ sudo yum search osquery 読み込んだプラグイン:fastestmirror, langpacks osquery-s3-centos7-repo | 3.3 kB 00:00:00 osquery-s3-centos7-repo/x86_64/primary_db | 5.5 kB 00:00:02 Loading mirror speeds from cached hostfile * base: ftp.tsukuba.wide.ad.jp * extras: ftp.tsukuba.wide.ad.jp * updates: ftp.tsukuba.wide.ad.jp ======UNIQa6bfe2e35bee8107-h-3--QINU==================================== N/S matched: osquery =========================================== osquery.x86_64 : osquery is an operating system instrumentation toolchain. osquery-latest.x86_64 : osquery is an operating system instrumentation toolchain. (unstable/latest version) osquery-s3-centos7-repo.noarch : osquery S3 CentOS 7 RPM Repository Name and summary matches only, use "search all" for everything. $ sudo yum install osquery 読み込んだプラグイン:fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.tsukuba.wide.ad.jp * extras: ftp.tsukuba.wide.ad.jp * updates: ftp.tsukuba.wide.ad.jp 依存性の解決をしています --> トランザクションの確認を実行しています。 ---> パッケージ osquery.x86_64 0:1.4.7-1.el7 を インストール --> 依存性解決を終了しました。 依存性を解決しました ======UNIQa6bfe2e35bee8107-h-4--QINU===================================================================================================== Package アーキテクチャー バージョン リポジトリー 容量 ======UNIQa6bfe2e35bee8107-h-5--QINU===================================================================================================== インストール中: osquery x86_64 1.4.7-1.el7 osquery-s3-centos7-repo 4.2 M トランザクションの要約 ======UNIQa6bfe2e35bee8107-h-6--QINU===================================================================================================== インストール 1 パッケージ 総ダウンロード容量: 4.2 M インストール容量: 13 M Is this ok [y/d/N]: y Downloading packages: 警告: /var/cache/yum/x86_64/7/osquery-s3-centos7-repo/packages/osquery-1.4.7.rpm: ヘッダー V4 RSA/SHA1 Signature、鍵 ID c9d8b80b: NOKEY osquery-1.4.7.rpm の公開鍵がインストールされていません osquery-1.4.7.rpm | 4.2 MB 00:00:13 file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY から鍵を取得中です。 Importing GPG key 0xC9D8B80B: Userid : "osquery (osquery) <osquery@fb.com>" Fingerprint: 1484 120a c4e9 f8a1 a577 aeee 97a8 0c63 c9d8 b80b Package : osquery-s3-centos7-repo-1-0.0.noarch (installed) From : /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY 上記の処理を行います。よろしいでしょうか? [y/N]y Running transaction check Running transaction test Transaction test succeeded Running transaction 警告: RPMDB は yum 以外で変更されました。 インストール中 : osquery-1.4.7-1.el7.x86_64 1/1 検証中 : osquery-1.4.7-1.el7.x86_64 1/1 インストール: osquery.x86_64 0:1.4.7-1.el7 完了しました!
Ubuntu
Ubuntu 14.04 LTS Trusty
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main" sudo apt update sudo apt install osquery
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.GkVtyeQs09 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys C9D8B80B gpg: requesting key C9D8B80B from hkp server keyserver.ubuntu.com gpg: key C9D8B80B: public key "osquery (osquery) <osquery@fb.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main"
ファイルリスト一覧
FreeBSD
osquery-1.4.5_2: /usr/local/bin/osqueryi /usr/local/etc/osquery.conf.sample /usr/local/etc/rc.d/osqueryd /usr/local/include/osquery/config.h /usr/local/include/osquery/core.h /usr/local/include/osquery/database.h /usr/local/include/osquery/database/db_handle.h /usr/local/include/osquery/database/query.h /usr/local/include/osquery/database/results.h /usr/local/include/osquery/enrollment.h /usr/local/include/osquery/events.h /usr/local/include/osquery/extensions.h /usr/local/include/osquery/filesystem.h /usr/local/include/osquery/flags.h /usr/local/include/osquery/hash.h /usr/local/include/osquery/logger.h /usr/local/include/osquery/registry.h /usr/local/include/osquery/sdk.h /usr/local/include/osquery/sql.h /usr/local/include/osquery/status.h /usr/local/include/osquery/tables.h /usr/local/lib/libosquery.a /usr/local/sbin/osqueryd /usr/local/share/licenses/osquery-1.4.5_2/BSD3CLAUSE /usr/local/share/licenses/osquery-1.4.5_2/LICENSE /usr/local/share/licenses/osquery-1.4.5_2/catalog.mk
CentOS
$ rpmquery osquery osquery-1.4.7-1.el7.x86_64 $ rpmquery -l osquery /etc/init.d/osqueryd /etc/osquery /usr/bin/osqueryctl /usr/bin/osqueryd /usr/bin/osqueryi /usr/share/osquery/osquery.example.conf /var/log/osquery /var/osquery
Ubuntu
$ dpkg -L osquery /. /usr /usr/bin /usr/bin/osqueryd /usr/bin/osqueryctl /usr/bin/osqueryi /usr/share /usr/share/osquery /usr/share/osquery/osquery.example.conf /usr/share/doc /usr/share/doc/osquery /usr/share/doc/osquery/changelog.Debian.gz /var /var/osquery /var/log /var/log/osquery /etc /etc/osquery /etc/init.d /etc/init.d/osqueryd
セットアップ
CentOS
sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
Ubuntu
sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
osquerydの起動
Ubuntu
sudo service osqueryd start
CentOS
sudo service osqueryd start
FreeBSD
service osqueryd start
使い方
osqueryi のコマンドラインオプション
osquery 1.4.5, your OS as a high-performance relational database Usage: osqueryi [OPTION]... [SQL STATEMENT] osquery command line flags: --config_plugin VALUE Config plugin name --config_path VALUE (filesystem) config plugin path to JSON config file --config_check Check the format of an osquery config and exit --daemonize Run as daemon (osqueryd only) --force Force osqueryd to kill previously-running daemons --pidfile VALUE Path to the daemon pidfile mutex --disable_watchdog Disable userland watchdog process --watchdog_level VALUE Performance limit level (0=loose, 1=normal, 2=restrictive, 3=debug) --schedule_timeout VALUE Limit the schedule, 0 for no limit --disable_extensions Disable extension API --extensions_autoload VALUE Optional path to a list of autoloaded & managed extensions --extensions_interval VALUE Seconds delay between connectivity checks --extensions_socket VALUE Path to the extensions UNIX domain socket --extensions_timeout VALUE Seconds to wait for autoloaded extensions --modules_autoload VALUE Optional path to a list of autoloaded registry modules osquery configuration options (set by config or CLI flags): --schedule_splay_percent VALUE[2] 20714 abort osqueryi -h
osqueryi で利用できるコマンド
osquery> .help Welcome to the osquery shell. Please explore your OS! You are connected to a transient 'in-memory' virtual database. .all [TABLE] Select all from a table .bail ON|OFF Stop after hitting an error; default OFF .echo ON|OFF Turn command echo on or off .exit Exit this program .header(s) ON|OFF Turn display of headers on or off .help Show this message .indices [TABLE] Show names of all indices .mode MODE Set output mode where MODE is one of: csv Comma-separated values column Left-aligned columns. (See .width) line One value per line list Values delimited by .separator string pretty Pretty printed SQL results .nullvalue STR Use STRING in place of NULL values .print STR... Print literal STRING .quit Exit this program .schema [TABLE] Show the CREATE statements .separator STR Change separator used by output mode and .import .show Show the current values for various settings .tables [TABLE] List names of tables .trace FILE|off Output each SQL statement as it is run .width [NUM1]+ Set column widths for "column" mode .timer ON|OFF Turn the CPU timer measurement on or off
osquery のテーブル一覧
.tables でテーブルを確認できます。
FreeBSDのテーブルは、以下の通りです。
osquery> .tables => cpuid => crontab => etc_hosts => etc_protocols => etc_services => file => groups => hash => interface_addresses => interface_details => listening_ports => logged_in_users => mounts => osquery_extensions => osquery_flags => osquery_info => osquery_registry => osquery_schedule => shell_history => suid_bin => time => users
CentOSのテーブルは、以下の通りです。
osquery> .tables => acpi_tables => arp_cache => block_devices => chrome_extensions => cpuid => crontab => disk_encryption => etc_hosts => etc_protocols => etc_services => file => file_events => firefox_addons => groups => hardware_events => hash => interface_addresses => interface_details => iptables => kernel_info => kernel_integrity => kernel_modules => last => listening_ports => logged_in_users => memory_map => mounts => msr => opera_extensions => os_version => osquery_extensions => osquery_flags => osquery_info => osquery_packs => osquery_registry => osquery_schedule => passwd_changes => pci_devices => process_envs => process_memory_map => process_open_files => process_open_sockets => processes => routes => rpm_package_files => rpm_packages => shared_memory => shell_history => smbios_tables => suid_bin => system_controls => time => usb_devices => user_groups => users => yara => yara_events
ユーザを調べる
osquery> select * from users; +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+ | uid | gid | uid_signed | gid_signed | username | description | directory | shell | +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+ | 0 | 0 | 0 | 0 | toor | Bourne-again Superuser | /root | | | 1 | 1 | 1 | 1 | daemon | Owner of many system processes | /root | /usr/sbin/nologin | | 2 | 5 | 2 | 5 | operator | System & | / | /usr/sbin/nologin | | 3 | 7 | 3 | 7 | bin | Binaries Commands and Source | / | /usr/sbin/nologin | | 4 | 65533 | 4 | 65533 | tty | Tty Sandbox | / | /usr/sbin/nologin | | 5 | 65533 | 5 | 65533 | kmem | KMem Sandbox | / | /usr/sbin/nologin | | 7 | 13 | 7 | 13 | games | Games pseudo-user | /usr/games | /usr/sbin/nologin | | 8 | 8 | 8 | 8 | news | News Subsystem | / | /usr/sbin/nologin | | 9 | 9 | 9 | 9 | man | Mister Man Pages | /usr/share/man | /usr/sbin/nologin | | 22 | 22 | 22 | 22 | sshd | Secure Shell Daemon | /var/empty | /usr/sbin/nologin | | 25 | 25 | 25 | 25 | smmsp | Sendmail Submission User | /var/spool/clientmqueue | /usr/sbin/nologin | | 26 | 26 | 26 | 26 | mailnull | Sendmail Default User | /var/spool/mqueue | /usr/sbin/nologin | | 53 | 53 | 53 | 53 | bind | Bind Sandbox | / | /usr/sbin/nologin | | 59 | 59 | 59 | 59 | unbound | Unbound DNS Resolver | /var/unbound | /usr/sbin/nologin | | 62 | 62 | 62 | 62 | proxy | Packet Filter pseudo-user | /nonexistent | /usr/sbin/nologin | | 64 | 64 | 64 | 64 | _pflogd | pflogd privsep user | /var/empty | /usr/sbin/nologin | | 65 | 65 | 65 | 65 | _dhcp | dhcp programs | /var/empty | /usr/sbin/nologin | | 66 | 66 | 66 | 66 | uucp | UUCP pseudo-user | /var/spool/uucppublic | /usr/local/libexec/uucp/uucico | | 68 | 6 | 68 | 6 | pop | Post Office Owner | /nonexistent | /usr/sbin/nologin | | 78 | 77 | 78 | 77 | auditdistd | Auditdistd unprivileged user | /var/empty | /usr/sbin/nologin | | 80 | 80 | 80 | 80 | www | World Wide Web Owner | /nonexistent | /usr/sbin/nologin | | 845 | 845 | 845 | 845 | hast | HAST unprivileged user | /var/empty | /usr/sbin/nologin | | 65534 | 65534 | 65534 | 65534 | nobody | Unprivileged user | /nonexistent | /usr/sbin/nologin | | 1001 | 1001 | 1001 | 1001 | user | user | /home/user | /bin/tcsh | | 1002 | 1002 | 1002 | 1002 | kaworu | User & | /home/kaworu | /usr/local/bin/zsh | | 964 | 964 | 964 | 964 | git_daemon | git daemon | /nonexistent | /usr/sbin/nologin | | 1003 | 1003 | 1003 | 1003 | test | test | /home/test | /usr/local/bin/zsh | | 88 | 88 | 88 | 88 | mysql | MySQL Daemon | /var/db/mysql | /usr/sbin/nologin | | 193 | 193 | 193 | 193 | cups | Cups Owner | /nonexistent | /usr/sbin/nologin | | 556 | 556 | 556 | 556 | messagebus | D-BUS Daemon User | /nonexistent | /usr/sbin/nologin | | 60 | 60 | 60 | 60 | cyrus | the cyrus mail server | /nonexistent | /usr/sbin/nologin | | 601 | 601 | 601 | 601 | _tss | TrouSerS user | /var/empty | /usr/sbin/nologin | | 955 | 955 | 955 | 955 | hdfs | Hadoop HDFS user | /nonexistent | /usr/sbin/nologin | | 947 | 955 | 947 | 955 | mapred | Hadoop MapReduce user | /nonexistent | /usr/sbin/nologin | | 987 | 987 | 987 | 987 | spark | Apache Spark user | /nonexistent | /usr/sbin/nologin | +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+
ネットワークインタフェースの情報
ネットワークインタフェースの情報を調べることもできます。
osquery> select * from interface_details where interface = 'em0'; +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+ | interface | mac | type | mtu | metric | ipackets | opackets | ibytes | obytes | ierrors | oerrors | last_change | +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+ | em0 | 00:0c:29:cb:15:e1 | 6 | 1500 | 0 | 77076 | 42882 | 51203175 | 11475006 | 0 | 0 | 1435314738 | +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+
サービスを調べる
osquery> select * from etc_services limit 3; +--------+------+----------+---------+------------------------------------+ | name | port | protocol | aliases | comment | +--------+------+----------+---------+------------------------------------+ | rtmp | 1 | ddp | | Routing Table Maintenance Protocol | | tcpmux | 1 | tcp | | TCP Port Service Multiplexer | | tcpmux | 1 | udp | | TCP Port Service Multiplexer | +--------+------+----------+---------+------------------------------------+
パッケージを調べる
CentOS
osquery> osquery> select * from rpm_packages limit 10; +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+ | name | version | release | source | size | sha1 | arch | +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+ | fontpackages-filesystem | 1.44 | 8.el7 | fontpackages-1.44-8.el7.src.rpm | 0 | 606b81d031584ec3a5e408c0f57eed92cfb911e4 | noarch | | liberation-fonts-common | 1.07.2 | 14.el7 | liberation-fonts-1.07.2-14.el7.src.rpm | 75627 | 43e22b24a8dd1b3986a1d35d5d5bb647b1f11fe9 | noarch | | gnu-free-fonts-common | 20120503 | 8.el7 | gnu-free-fonts-20120503-8.el7.src.rpm | 502617 | 10f691325c2bdb50784584ff6e13782d51f36d70 | noarch | | dejavu-fonts-common | 2.33 | 6.el7 | dejavu-fonts-2.33-6.el7.src.rpm | 130455 | 78512b0f7d249b5fbf7063c3acc422c6337535fc | noarch | | filesystem | 3.2 | 18.el7 | filesystem-3.2-18.el7.src.rpm | 0 | 1d1e024704dd5947b3fff1fb67cd0d55faac8d04 | x86_64 | | telepathy-filesystem | 0.0.2 | 6.el7 | telepathy-filesystem-0.0.2-6.el7.src.rpm | 0 | 9b481ff6695ad8db6895d7eb96ddbc8eb3821d3c | noarch | | xkeyboard-config | 2.9 | 4.el7 | xkeyboard-config-2.9-4.el7.src.rpm | 5046316 | 9afd2f7c4a4c3ca4b83ce23eb689e0f0a7fad2a9 | noarch | | poppler-data | 0.4.6 | 3.el7 | poppler-data-0.4.6-3.el7.src.rpm | 12013394 | 183304ef68ec9677c31440a708a3faad58f73716 | noarch | | langtable | 0.0.13 | 4.el7 | langtable-0.0.13-4.el7.src.rpm | 103216 | 127cfc656f7ca4e689e1c6812b749e45302b0a02 | noarch | | langtable-data | 0.0.13 | 4.el7 | langtable-0.0.13-4.el7.src.rpm | 574961 | f0ccedca37e0a4b8dc4b39e8d5cc0a6556a41596 | noarch | +-------------------------+----------+---------+------------------------------------------+----------+------------------------------------------+--------+
ログインユーザを調べる
osquery> select * from logged_in_users; +----------+-------+---------------------------+------------+-------+ | user | tty | host | time | pid | +----------+-------+---------------------------+------------+-------+ | reboot | ~ | 3.10.0-123.8.1.el7.x86_64 | 1414068716 | 0 | | kaworu | :0 | :0 | 1414069657 | 15854 | | runlevel | ~ | 3.10.0-123.8.1.el7.x86_64 | 1414068814 | 53 | | kaworu | pts/0 | :0 | 1414285551 | 19452 | +----------+-------+---------------------------+------------+-------+
リスニングポートを調べる
osquery> select * from listening_ports; +-----+-------+----------+--------+-----------+ | pid | port | protocol | family | address | +-----+-------+----------+--------+-----------+ | -1 | 25 | 6 | 2 | 127.0.0.1 | | -1 | 42048 | 6 | 2 | 0.0.0.0 | | -1 | 111 | 6 | 2 | 0.0.0.0 | | -1 | 22 | 6 | 2 | 0.0.0.0 | | -1 | 631 | 6 | 2 | 127.0.0.1 | | -1 | 25 | 6 | 10 | ::1 | | -1 | 54475 | 6 | 10 | :: | | -1 | 111 | 6 | 10 | :: | | -1 | 22 | 6 | 10 | :: | | -1 | 631 | 6 | 10 | ::1 | | -1 | 985 | 17 | 2 | 0.0.0.0 | | -1 | 26105 | 17 | 2 | 0.0.0.0 | | -1 | 68 | 17 | 2 | 0.0.0.0 | | -1 | 111 | 17 | 2 | 0.0.0.0 | | -1 | 123 | 17 | 2 | 0.0.0.0 | | -1 | 45189 | 17 | 2 | 0.0.0.0 | | -1 | 56472 | 17 | 2 | 0.0.0.0 | | -1 | 5353 | 17 | 2 | 0.0.0.0 | | -1 | 804 | 17 | 2 | 127.0.0.1 | | -1 | 323 | 17 | 2 | 127.0.0.1 | | -1 | 2997 | 17 | 10 | :: | | -1 | 985 | 17 | 10 | :: | | -1 | 111 | 17 | 10 | :: | | -1 | 123 | 17 | 10 | :: | | -1 | 55063 | 17 | 10 | :: | | -1 | 323 | 17 | 10 | ::1 | | -1 | 58 | 255 | 10 | :: | | -1 | 0 | 0 | 0 | | +-----+-------+----------+--------+-----------+
ログのディレクトリやファイル
ログファイルは、/var/log/osquery のディレクトリに格納されます。
osqueryd.results.log に json フォーマットでログイングされます。
ログの収集
LogStash や Splunk と連携することもできます。
- LogStash
- Splunk
- Fluentd
エラー
osqueryd が起動しない
pid ファイルがあるときに、osqueryd が起動しませんでした。pid ファイルを削除すると動作します。
sudo rm /var/run/osqueryd.pid
osqueryi が起動しない
$ osqueryi E0626 19:42:41.068462 92300288 init.cpp:290] osqueryi initialize failed: Could not create DB handle Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.
rootユーザでないとエラーが出る模様。
$ sudo osqueryi osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using a virtual database. Need help, type '.help' osquery>
osquery がスタードできない
15.04 だと 14系の osquery は、動かないかもしれない。
$ sudo service osquery start Job for osqueryd.service failed. See "systemctl status osqueryd.service" and "journalctl -xe" for details.
osqueryi
15.04 だと 14系の osquery は、動かないかもしれない。
osqueryi: error while loading shared libraries: libgcrypt.so.11: cannot open shared object file: No such file or directory