osquery

提供: セキュリティ
2015年6月26日 (金) 19:54時点におけるDaemon (トーク | 投稿記録)による版 (ページの作成:「osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラク...」)

(差分) ←前の版 | 最新版 (差分) | 次の版→ (差分)
移動: 案内検索
スポンサーリンク

osquery とは、LinuxやOSXインフラストラクチャに対して、簡単に問合せができるツールです。侵入検知、インフラストラクチャの信頼性、コンプライアンスなどの面で、osqueryは、企業内の組織に通知することをゴールとしています。

読み方

osquery
おーえすくえりー
osqueryi
おーえすくえりー あい

概要

osquery

インストール

FreeBSDにインストールする場合

pkgコマンドでインストールする場合

sudo pkg install osquery

ファイルリスト一覧

osquery-1.4.5_2:
        /usr/local/bin/osqueryi
        /usr/local/etc/osquery.conf.sample
        /usr/local/etc/rc.d/osqueryd
        /usr/local/include/osquery/config.h
        /usr/local/include/osquery/core.h
        /usr/local/include/osquery/database.h
        /usr/local/include/osquery/database/db_handle.h
        /usr/local/include/osquery/database/query.h
        /usr/local/include/osquery/database/results.h
        /usr/local/include/osquery/enrollment.h
        /usr/local/include/osquery/events.h
        /usr/local/include/osquery/extensions.h
        /usr/local/include/osquery/filesystem.h
        /usr/local/include/osquery/flags.h
        /usr/local/include/osquery/hash.h
        /usr/local/include/osquery/logger.h
        /usr/local/include/osquery/registry.h
        /usr/local/include/osquery/sdk.h
        /usr/local/include/osquery/sql.h
        /usr/local/include/osquery/status.h
        /usr/local/include/osquery/tables.h
        /usr/local/lib/libosquery.a
        /usr/local/sbin/osqueryd
        /usr/local/share/licenses/osquery-1.4.5_2/BSD3CLAUSE
        /usr/local/share/licenses/osquery-1.4.5_2/LICENSE
        /usr/local/share/licenses/osquery-1.4.5_2/catalog.mk

osquerydの起動

FreeBSD

service osqueryd start

使い方

osqueryi のコマンドラインオプション

osquery 1.4.5, your OS as a high-performance relational database
Usage: osqueryi [OPTION]... [SQL STATEMENT]
 
osquery command line flags:
 
    --config_plugin VALUE        Config plugin name
    --config_path VALUE          (filesystem) config plugin path to JSON config file
    --config_check               Check the format of an osquery config and exit
    --daemonize                  Run as daemon (osqueryd only)
    --force                      Force osqueryd to kill previously-running daemons
    --pidfile VALUE              Path to the daemon pidfile mutex
    --disable_watchdog           Disable userland watchdog process
    --watchdog_level VALUE       Performance limit level (0=loose, 1=normal, 2=restrictive, 3=debug)
    --schedule_timeout VALUE     Limit the schedule, 0 for no limit
    --disable_extensions         Disable extension API
    --extensions_autoload VALUE  Optional path to a list of autoloaded & managed extensions
    --extensions_interval VALUE  Seconds delay between connectivity checks
    --extensions_socket VALUE    Path to the extensions UNIX domain socket
    --extensions_timeout VALUE   Seconds to wait for autoloaded extensions
    --modules_autoload VALUE     Optional path to a list of autoloaded registry modules
 
osquery configuration options (set by config or CLI flags):
 
    --schedule_splay_percent VALUE[2]    20714 abort      osqueryi -h

osqueryi で利用できるコマンド

osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
 
.all [TABLE]       Select all from a table
.bail ON|OFF       Stop after hitting an error; default OFF
.echo ON|OFF       Turn command echo on or off
.exit              Exit this program
.header(s) ON|OFF  Turn display of headers on or off
.help              Show this message
.indices [TABLE]   Show names of all indices
.mode MODE         Set output mode where MODE is one of:
                     csv      Comma-separated values
                     column   Left-aligned columns.  (See .width)
                     line     One value per line
                     list     Values delimited by .separator string
                     pretty   Pretty printed SQL results
.nullvalue STR     Use STRING in place of NULL values
.print STR...      Print literal STRING
.quit              Exit this program
.schema [TABLE]    Show the CREATE statements
.separator STR     Change separator used by output mode and .import
.show              Show the current values for various settings
.tables [TABLE]    List names of tables
.trace FILE|off    Output each SQL statement as it is run
.width [NUM1]+     Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off

ユーザを調べる

osquery> select * from users;
+-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+
| uid   | gid   | uid_signed | gid_signed | username   | description                    | directory               | shell                          |
+-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+
| 0     | 0     | 0          | 0          | toor       | Bourne-again Superuser         | /root                   |                                |
| 1     | 1     | 1          | 1          | daemon     | Owner of many system processes | /root                   | /usr/sbin/nologin              |
| 2     | 5     | 2          | 5          | operator   | System &                       | /                       | /usr/sbin/nologin              |
| 3     | 7     | 3          | 7          | bin        | Binaries Commands and Source   | /                       | /usr/sbin/nologin              |
| 4     | 65533 | 4          | 65533      | tty        | Tty Sandbox                    | /                       | /usr/sbin/nologin              |
| 5     | 65533 | 5          | 65533      | kmem       | KMem Sandbox                   | /                       | /usr/sbin/nologin              |
| 7     | 13    | 7          | 13         | games      | Games pseudo-user              | /usr/games              | /usr/sbin/nologin              |
| 8     | 8     | 8          | 8          | news       | News Subsystem                 | /                       | /usr/sbin/nologin              |
| 9     | 9     | 9          | 9          | man        | Mister Man Pages               | /usr/share/man          | /usr/sbin/nologin              |
| 22    | 22    | 22         | 22         | sshd       | Secure Shell Daemon            | /var/empty              | /usr/sbin/nologin              |
| 25    | 25    | 25         | 25         | smmsp      | Sendmail Submission User       | /var/spool/clientmqueue | /usr/sbin/nologin              |
| 26    | 26    | 26         | 26         | mailnull   | Sendmail Default User          | /var/spool/mqueue       | /usr/sbin/nologin              |
| 53    | 53    | 53         | 53         | bind       | Bind Sandbox                   | /                       | /usr/sbin/nologin              |
| 59    | 59    | 59         | 59         | unbound    | Unbound DNS Resolver           | /var/unbound            | /usr/sbin/nologin              |
| 62    | 62    | 62         | 62         | proxy      | Packet Filter pseudo-user      | /nonexistent            | /usr/sbin/nologin              |
| 64    | 64    | 64         | 64         | _pflogd    | pflogd privsep user            | /var/empty              | /usr/sbin/nologin              |
| 65    | 65    | 65         | 65         | _dhcp      | dhcp programs                  | /var/empty              | /usr/sbin/nologin              |
| 66    | 66    | 66         | 66         | uucp       | UUCP pseudo-user               | /var/spool/uucppublic   | /usr/local/libexec/uucp/uucico |
| 68    | 6     | 68         | 6          | pop        | Post Office Owner              | /nonexistent            | /usr/sbin/nologin              |
| 78    | 77    | 78         | 77         | auditdistd | Auditdistd unprivileged user   | /var/empty              | /usr/sbin/nologin              |
| 80    | 80    | 80         | 80         | www        | World Wide Web Owner           | /nonexistent            | /usr/sbin/nologin              |
| 845   | 845   | 845        | 845        | hast       | HAST unprivileged user         | /var/empty              | /usr/sbin/nologin              |
| 65534 | 65534 | 65534      | 65534      | nobody     | Unprivileged user              | /nonexistent            | /usr/sbin/nologin              |
| 1001  | 1001  | 1001       | 1001       | user       | user                           | /home/user              | /bin/tcsh                      |
| 1002  | 1002  | 1002       | 1002       | kaworu     | User &                         | /home/kaworu            | /usr/local/bin/zsh             |
| 964   | 964   | 964        | 964        | git_daemon | git daemon                     | /nonexistent            | /usr/sbin/nologin              |
| 1003  | 1003  | 1003       | 1003       | test       | test                           | /home/test              | /usr/local/bin/zsh             |
| 88    | 88    | 88         | 88         | mysql      | MySQL Daemon                   | /var/db/mysql           | /usr/sbin/nologin              |
| 193   | 193   | 193        | 193        | cups       | Cups Owner                     | /nonexistent            | /usr/sbin/nologin              |
| 556   | 556   | 556        | 556        | messagebus | D-BUS Daemon User              | /nonexistent            | /usr/sbin/nologin              |
| 60    | 60    | 60         | 60         | cyrus      | the cyrus mail server          | /nonexistent            | /usr/sbin/nologin              |
| 601   | 601   | 601        | 601        | _tss       | TrouSerS user                  | /var/empty              | /usr/sbin/nologin              |
| 955   | 955   | 955        | 955        | hdfs       | Hadoop HDFS user               | /nonexistent            | /usr/sbin/nologin              |
| 947   | 955   | 947        | 955        | mapred     | Hadoop MapReduce user          | /nonexistent            | /usr/sbin/nologin              |
| 987   | 987   | 987        | 987        | spark      | Apache Spark user              | /nonexistent            | /usr/sbin/nologin              |
+-------+-------+------------+------------+------------+--------------------------------+-------------------------+--------------------------------+

ネットワークインタフェースの情報

ネットワークインタフェースの情報を調べることもできます。

osquery> select * from interface_details where interface = 'em0';
+-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+
| interface | mac               | type | mtu  | metric | ipackets | opackets | ibytes   | obytes   | ierrors | oerrors | last_change |
+-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+
| em0       | 00:0c:29:cb:15:e1 | 6    | 1500 | 0      | 77076    | 42882    | 51203175 | 11475006 | 0       | 0       | 1435314738  |
+-----------+-------------------+------+------+--------+----------+----------+----------+----------+---------+---------+-------------+

サービスを調べる

osquery> select * from etc_services limit 3;
+--------+------+----------+---------+------------------------------------+
| name   | port | protocol | aliases | comment                            |
+--------+------+----------+---------+------------------------------------+
| rtmp   | 1    | ddp      |         | Routing Table Maintenance Protocol |
| tcpmux | 1    | tcp      |         | TCP Port Service Multiplexer       |
| tcpmux | 1    | udp      |         | TCP Port Service Multiplexer       |
+--------+------+----------+---------+------------------------------------+

エラー

$ osqueryi
E0626 19:42:41.068462 92300288 init.cpp:290] osqueryi initialize failed: Could not create DB handle
Assertion failed: (ret == 0), function ~impl, file src/thrift/concurrency/Mutex.cpp, line 131.

rootユーザでないとエラーが出る模様。

$ sudo osqueryi
osquery - being built, with love, at Facebook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using a virtual database. Need help, type '.help'
osquery>

関連項目




スポンサーリンク