osquery
提供: セキュリティ
2015年6月26日 (金) 19:54時点におけるDaemon (トーク | 投稿記録)による版 (ページの作成:「osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラク...」)
スポンサーリンク
osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラクチャの信頼性、コンプライアンスなどの面で、osqueryは、企業内の組織に通知することをゴールとしています。
読み方
- osquery
- おーえすくえりー
- osqueryi
- おーえすくえりー あい
目次
概要
osquery
インストール
FreeBSDにインストールする場合
pkgコマンドでインストールする場合
sudo pkg install osquery
ファイルリスト一覧
osquery-1.4.5_2: /usr/local/bin/osqueryi /usr/local/etc/osquery.conf.sample /usr/local/etc/rc.d/osqueryd /usr/local/include/osquery/config.h /usr/local/include/osquery/core.h /usr/local/include/osquery/database.h /usr/local/include/osquery/database/db_handle.h /usr/local/include/osquery/database/query.h /usr/local/include/osquery/database/results.h /usr/local/include/osquery/enrollment.h /usr/local/include/osquery/events.h /usr/local/include/osquery/extensions.h /usr/local/include/osquery/filesystem.h /usr/local/include/osquery/flags.h /usr/local/include/osquery/hash.h /usr/local/include/osquery/logger.h /usr/local/include/osquery/registry.h /usr/local/include/osquery/sdk.h /usr/local/include/osquery/sql.h /usr/local/include/osquery/status.h /usr/local/include/osquery/tables.h /usr/local/lib/libosquery.a /usr/local/sbin/osqueryd /usr/local/share/licenses/osquery-1.4.5_2/BSD3CLAUSE /usr/local/share/licenses/osquery-1.4.5_2/LICENSE /usr/local/share/licenses/osquery-1.4.5_2/catalog.mk
osquerydの起動
FreeBSD
service osqueryd start
使い方
osqueryi のコマンドラインオプション
osquery 1.4.5, your OS as a high-performance relational database Usage: osqueryi [OPTION]... [SQL STATEMENT] osquery command line flags: --config_plugin VALUE Config plugin name --config_path VALUE (filesystem) config plugin path to JSON config file --config_check Check the format of an osquery config and exit --daemonize Run as daemon (osqueryd only) --force Force osqueryd to kill previously-running daemons --pidfile VALUE Path to the daemon pidfile mutex --disable_watchdog Disable userland watchdog process --watchdog_level VALUE Performance limit level (0=loose, 1=normal, 2=restrictive, 3=debug) --schedule_timeout VALUE Limit the schedule, 0 for no limit --disable_extensions Disable extension API --extensions_autoload VALUE Optional path to a list of autoloaded & managed extensions --extensions_interval VALUE Seconds delay between connectivity checks --extensions_socket VALUE Path to the extensions UNIX domain socket --extensions_timeout VALUE Seconds to wait for autoloaded extensions --modules_autoload VALUE Optional path to a list of autoloaded registry modules osquery configuration options (set by config or CLI flags): --schedule_splay_percent VALUE[2] 20714 abort osqueryi -h
osqueryi で利用できるコマンド
osquery> .help Welcome to the osquery shell. Please explore your OS! You are connected to a transient 'in-memory' virtual database. .all [TABLE] Select all from a table .bail ON|OFF Stop after hitting an error; default OFF .echo ON|OFF Turn command echo on or off .exit Exit this program .header(s) ON|OFF Turn display of headers on or off .help Show this message .indices [TABLE] Show names of all indices .mode MODE Set output mode where MODE is one of: csv Comma-separated values column Left-aligned columns. (See .width) line One value per line list Values delimited by .separator string pretty Pretty printed SQL results .nullvalue STR Use STRING in place of NULL values .print STR... Print literal STRING .quit Exit this program .schema [TABLE] Show the CREATE statements .separator STR Change separator used by output mode and .import .show Show the current values for various settings .tables [TABLE] List names of tables .trace FILE|off Output each SQL statement as it is run .width [NUM1]+ Set column widths for "column" mode .timer ON|OFF Turn the CPU timer measurement on or off
ユーザを調べる
osquery> select * from users; +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+ | uid | gid | uid_signed | gid_signed | username | description | directory | shell | +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+ | 0 | 0 | 0 | 0 | toor | Bourne-again Superuser | /root | | | 1 | 1 | 1 | 1 | daemon | Owner of many system processes | /root | /usr/sbin/nologin | | 2 | 5 | 2 | 5 | operator | System & | / | /usr/sbin/nologin | | 3 | 7 | 3 | 7 | bin | Binaries Commands and Source | / | /usr/sbin/nologin | | 4 | 65533 | 4 | 65533 | tty | Tty Sandbox | / | /usr/sbin/nologin | | 5 | 65533 | 5 | 65533 | kmem | KMem Sandbox | / | /usr/sbin/nologin | | 7 | 13 | 7 | 13 | games | Games pseudo-user | /usr/games | /usr/sbin/nologin | | 8 | 8 | 8 | 8 | news | News Subsystem | / | /usr/sbin/nologin | | 9 | 9 | 9 | 9 | man | Mister Man Pages | /usr/share/man | /usr/sbin/nologin | | 22 | 22 | 22 | 22 | sshd | Secure Shell Daemon | /var/empty | /usr/sbin/nologin | | 25 | 25 | 25 | 25 | smmsp | Sendmail Submission User | /var/spool/clientmqueue | /usr/sbin/nologin | | 26 | 26 | 26 | 26 | mailnull | Sendmail Default User | /var/spool/mqueue | /usr/sbin/nologin | | 53 | 53 | 53 | 53 | bind | Bind Sandbox | / | /usr/sbin/nologin | | 59 | 59 | 59 | 59 | unbound | Unbound DNS Resolver | /var/unbound | /usr/sbin/nologin | | 62 | 62 | 62 | 62 | proxy | Packet Filter pseudo-user | /nonexistent | /usr/sbin/nologin | | 64 | 64 | 64 | 64 | _pflogd | pflogd privsep user | /var/empty | /usr/sbin/nologin | | 65 | 65 | 65 | 65 | _dhcp | dhcp programs | /var/empty | /usr/sbin/nologin | | 66 | 66 | 66 | 66 | uucp | UUCP pseudo-user | /var/spool/uucppublic | /usr/local/libexec/uucp/uucico | | 68 | 6 | 68 | 6 | pop | Post Office Owner | /nonexistent | /usr/sbin/nologin | | 78 | 77 | 78 | 77 | auditdistd | Auditdistd unprivileged user | /var/empty | /usr/sbin/nologin | | 80 | 80 | 80 | 80 | www | World Wide Web Owner | /nonexistent | /usr/sbin/nologin | | 845 | 845 | 845 | 845 | hast | HAST unprivileged user | /var/empty | /usr/sbin/nologin | | 65534 | 65534 | 65534 | 65534 | nobody | Unprivileged user | /nonexistent | /usr/sbin/nologin | | 1001 | 1001 | 1001 | 1001 | user | user | /home/user | /bin/tcsh | | 1002 | 1002 | 1002 | 1002 | kaworu | User & | /home/kaworu | /usr/local/bin/zsh | | 964 | 964 | 964 | 964 | git_daemon | git daemon | /nonexistent | /usr/sbin/nologin | | 1003 | 1003 | 1003 | 1003 | test | test | /home/test | /usr/local/bin/zsh | | 88 | 88 | 88 | 88 | mysql | MySQL Daemon | /var/db/mysql | /usr/sbin/nologin | | 193 | 193 | 193 | 193 | cups | Cups Owner | /nonexistent | /usr/sbin/nologin | | 556 | 556 | 556 | 556 | messagebus | D-BUS Daemon User | /nonexistent | /usr/sbin/nologin | | 60 | 60 | 60 | 60 | cyrus | the cyrus mail server | /nonexistent | /usr/sbin/nologin | | 601 | 601 | 601 | 601 | _tss | TrouSerS user | /var/empty | /usr/sbin/nologin | | 955 | 955 | 955 | 955 | hdfs | Hadoop HDFS user | /nonexistent | /usr/sbin/nologin | | 947 | 955 | 947 | 955 | mapred | Hadoop MapReduce user | /nonexistent | /usr/sbin/nologin | | 987 | 987 | 987 | 987 | spark | Apache Spark user | /nonexistent | /usr/sbin/nologin | +-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+
ネットワークインタフェースの情報
ネットワークインタフェースの情報を調べることもできます。
osquery> select * from interface_details where interface = 'em0'; +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+ | interface | mac | type | mtu | metric | ipackets | opackets | ibytes | obytes | ierrors | oerrors | last_change | +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+ | em0 | 00:0c:29:cb:15:e1 | 6 | 1500 | 0 | 77076 | 42882 | 51203175 | 11475006 | 0 | 0 | 1435314738 | +-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+
サービスを調べる
osquery> select * from etc_services limit 3; +--------+------+----------+---------+------------------------------------+ | name | port | protocol | aliases | comment | +--------+------+----------+---------+------------------------------------+ | rtmp | 1 | ddp | | Routing Table Maintenance Protocol | | tcpmux | 1 | tcp | | TCP Port Service Multiplexer | | tcpmux | 1 | udp | | TCP Port Service Multiplexer | +--------+------+----------+---------+------------------------------------+
エラー
$ osqueryi E0626 19:42:41.068462 92300288 init.cpp:290] osqueryi initialize failed: Could not create DB handle Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.
rootユーザでないとエラーが出る模様。
$ sudo osqueryi osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using a virtual database. Need help, type '.help' osquery>
関連項目
ツイート
スポンサーリンク