如何在 Debian 10 上安装 osquery
在此页
- 先决条件
- 开始
- 安装osquery
- 使用 osquery
- 使用 osquery 监控系统
- 结论
osquery是Facebook开发的一款免费开源工具,可用于查询操作系统相关信息,包括内存使用、安装包、进程信息、登录用户、监听端口等。它可以在多种操作系统上运行,包括 Windows、Linux、FreeBSD 和 MacOS。它是一个非常有用的工具,适用于各种用例来解决性能和操作问题。它附带了许多工具,可帮助您执行操作系统分析和监控。
在本教程中,我们将学习如何在 Debian 10 上安装和使用 osquery。
先决条件
- 运行 Debian 10 的服务器。
- 在您的服务器上配置了根密码。
入门
在开始之前,最好将系统包更新到最新版本。您可以使用以下命令更新所有软件包:
apt-get update -y
apt-get upgrade -y更新所有软件包后,重新启动系统以应用更改。
安装osquery
默认情况下,osquery 在 Debian 10 默认存储库中不可用。所以你需要在你的系统中添加 osquery 存储库。
首先,使用以下命令下载并添加 GPG 密钥:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B接下来,使用以下命令添加 osquery 存储库:
apt-get install software-properties-common -y
add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'接下来,更新存储库并使用以下命令安装 osquery:
apt-get update -y
apt-get install osquery -y安装完成后,使用以下命令启动 osquery 服务:
osqueryctl start osqueryd您还可以使用以下命令验证 osquery 的状态:
osqueryctl status osqueryd您应该看到以下输出:
? osqueryd.service - The osquery Daemon
Loaded: loaded (/lib/systemd/system/osqueryd.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-19 15:21:57 UTC; 6s ago
Process: 25333 ExecStartPre=/bin/sh -c if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi (code=exited, status=0/SUCCESS)
Process: 25334 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
Process: 25336 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
Main PID: 25337 (osqueryd)
Tasks: 13 (limit: 4701)
Memory: 6.4M
CGroup: /system.slice/osqueryd.service
??25337 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
??25339 /usr/bin/osqueryd
Apr 19 15:21:57 debian10 systemd[1]: Starting The osquery Daemon...
Apr 19 15:21:57 debian10 systemd[1]: Started The osquery Daemon.
Apr 19 15:21:57 debian10 osqueryd[25337]: osqueryd started [version=4.2.0]
Apr 19 15:21:57 debian10 osqueryd[25337]: I0419 15:21:57.261158 25339 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publish
Apr 19 15:21:57 debian10 osqueryd[25337]: I0419 15:21:57.261485 25339 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled v
使用 osquery
osquery 带有三个有用的组件 osqueryi、osqueryd 和 osqueryctl。 osqueryi 是一个 osquery 交互式 shell,不与守护进程通信。您可以使用 shell 执行查询并探索操作系统的当前状态。 osqueryd 是主机监控守护进程,可用于安排查询和记录操作系统状态更改。 osqueryctl 是一个用于测试配置的辅助脚本。
您可以运行以下命令连接到 osquery shell:
osqueryi您应该得到以下输出:
Using a virtual database. Need help, type '.help'
接下来,运行 .help 命令以查看 osquery 可用的所有选项:
osquery> .help您应该得到以下输出:
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
osquery>
有很多表可供查询。您可以使用以下命令列出所有表:
osquery> .table您应该得到以下输出:
=> acpi_tables
=> apparmor_profiles
=> apt_sources
=> arp_cache
=> atom_packages
=> augeas
=> authorized_keys
=> block_devices
=> carbon_black_info
=> carves
=> chrome_extensions
=> cpu_time
=> cpuid
=> crontab
=> curl
=> curl_certificate
=> deb_packages
=> device_file
=> device_hash
=> device_partitions
=> disk_encryption
=> dns_resolvers
=> docker_container_labels
=> docker_container_mounts
您可以使用上表和 osquery 查找各种系统信息。
使用 osquery 监控系统
您可以使用 osquery 监控内存使用情况、进程信息、磁盘空间、登录用户等等。
首先,使用以下命令启动 osquery shell:
osqueryi接下来,您可以使用以下命令获取系统主机名、cpu 内核和物理内存的信息:
osquery> select hostname,cpu_physical_cores,physical_memory from system_info;您应该得到以下输出:
+------------+--------------------+-----------------+
| hostname | cpu_physical_cores | physical_memory |
+------------+--------------------+-----------------+
| debian10 | 1 | 1032937472 |
+------------+--------------------+-----------------+
要获取有关 ssh_config 文件的信息,请运行以下查询:
osquery> select * from ssh_configs;您应该得到以下输出:
W0419 15:47:17.043509 25397 virtual_table.cpp:959] The ssh_configs table returns data based on the current user by default, consider JOINing against the users table
W0419 15:47:17.043740 25397 virtual_table.cpp:974] Please see the table documentation: https://osquery.io/schema/#ssh_configs
+-----+--------+--------------------------+---------------------+
| uid | block | option | ssh_config_file |
+-----+--------+--------------------------+---------------------+
| 0 | host * | sendenv lang lc_* | /etc/ssh/ssh_config |
| 0 | host * | hashknownhosts yes | /etc/ssh/ssh_config |
| 0 | host * | gssapiauthentication yes | /etc/ssh/ssh_config |
+-----+--------+--------------------------+---------------------+
osquery>
要获取系统中所有用户的列表,请运行以下查询:
osquery> SELECT * FROM users;您应该得到以下输出:
+-------+-------+------------+------------+-----------------+------------------------------------+----------------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-------+-------+------------+------------+-----------------+------------------------------------+----------------------+-------------------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
| 3 | 3 | 3 | 3 | sys | sys | /dev | /usr/sbin/nologin | |
| 4 | 65534 | 4 | 65534 | sync | sync | /bin | /bin/sync | |
| 5 | 60 | 5 | 60 | games | games | /usr/games | /usr/sbin/nologin | |
| 6 | 12 | 6 | 12 | man | man | /var/cache/man | /usr/sbin/nologin | |
| 7 | 7 | 7 | 7 | lp | lp | /var/spool/lpd | /usr/sbin/nologin | |
如果要列出系统中的所有非系统用户,请运行以下查询:
osquery> select * from users where uid <= 1000 limit 3;您应该得到以下输出:
+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
+-----+-----+------------+------------+----------+-------------+-----------+-------------------+------+
要获取当前登录用户的列表,请运行以下查询:
osquery> select * from logged_in_users where type = 'user';您应该得到以下输出:
+------+------+-------+--------------+------------+-------+
| type | user | tty | host | time | pid |
+------+------+-------+--------------+------------+-------+
| user | root | pts/0 | 27.61.217.59 | 1587309538 | 19279 |
| user | root | pts/1 | 27.61.217.59 | 1587310737 | 25378 |
| user | root | pts/2 | 27.61.217.59 | 1587310997 | 25394 |
+------+------+-------+--------------+------------+-------+
要显示系统的内存信息,请运行以下查询:
osquery> select * from memory_info;您应该得到以下输出:
+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
| memory_total | memory_free | buffers | cached | swap_cached | active | inactive | swap_total | swap_free |
+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
| 4138455040 | 2407211008 | 79745024 | 1384751104 | 0 | 556371968 | 954744832 | 0 | 0 |
+--------------+-------------+----------+------------+-------------+-----------+-----------+------------+-----------+
osquery>
要查找系统的平均负载,请运行以下查询:
osquery> select * from load_average;您应该得到以下输出:
+--------+----------+
| period | average |
+--------+----------+
| 1m | 0.000000 |
| 5m | 0.000000 |
| 15m | 0.000000 |
+--------+----------+
osquery>
要获取系统中前五个包的列表,请运行以下查询:
osquery> select * from deb_packages top limit 5;您应该得到以下输出:
+-------------------+------------+--------------+------+-------+----------+
| name | version | source | size | arch | revision |
+-------------------+------------+--------------+------+-------+----------+
| acpi-support-base | 0.142-8 | acpi-support | 43 | all | 8 |
| acpid | 1:2.0.31-1 | | 146 | amd64 | 1 |
| adduser | 3.118 | | 849 | all | |
| apparmor | 2.13.2-10 | | 1833 | amd64 | 10 |
| apt | 1.8.2 | | 4064 | amd64 | |
+-------------------+------------+--------------+------+-------+----------+
要获取有关系统中正在运行的进程的信息,请运行以下查询:
osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';您应该得到以下输出:
+------+------+-----+
| name | port | pid |
+------+------+-----+
| sshd | 22 | 729 |
+------+------+-----+
要查找所有以前的登录,请运行以下查询:
osquery> select * from last;您应该得到以下输出:
+----------+-------+-------+------+------------+--------------+
| username | tty | pid | type | time | host |
+----------+-------+-------+------+------------+--------------+
| root | pts/0 | 1448 | 7 | 1587365277 | 27.61.217.41 |
| root | pts/1 | 13392 | 7 | 1587368569 | 27.61.217.41 |
| | pts/0 | 1004 | 8 | 1587376329 | |
| | pts/1 | 13321 | 8 | 1587376821 | |
| | ttyS0 | 748 | 8 | 1587465619 | |
| | tty1 | 749 | 8 | 1587465619 | |
| root | pts/0 | 1057 | 7 | 1587465664 | 27.61.217.9 |
| root | pts/1 | 1375 | 7 | 1587465846 | 27.61.217.9 |
+----------+-------+-------+------+------------+--------------+
要列出 crontab 计划的所有作业,请运行以下查询:
osquery> select command, path from crontab ;您应该得到以下输出:
+----------------------------------------------------------------------------------------------------------------------------------------+-------------------+
| command | path |
+----------------------------------------------------------------------------------------------------------------------------------------+-------------------+
| root cd / && run-parts --report /etc/cron.hourly | /etc/crontab |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) | /etc/crontab |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) | /etc/crontab |
| root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) | /etc/crontab |
| root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +\%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi | /etc/cron.d/mdadm |
要查找系统中所有打开的端口,请运行以下查询:
osquery> select * from listening_ports;您应该得到以下输出:
+------+------+----------+--------+------------+-----+--------+----------------------------------------+---------------+
| pid | port | protocol | family | address | fd | socket | path | net_namespace |
+------+------+----------+--------+------------+-----+--------+----------------------------------------+---------------+
| 444 | 53 | 6 | 2 | 127.0.0.53 | 13 | 14910 | | 4026531993 |
| 729 | 22 | 6 | 2 | 0.0.0.0 | 3 | 16940 | | 4026531993 |
| 664 | 3306 | 6 | 2 | 127.0.0.1 | 69 | 15824 | | 4026531993 |
| 544 | 6379 | 6 | 2 | 127.0.0.1 | 6 | 15472 | | 4026531993 |
| 729 | 22 | 6 | 10 | :: | 4 | 16951 | | 4026531993 |
| 544 | 6379 | 6 | 10 | ::1 | 7 | 15473 | | 4026531993 |
| 759 | 80 | 6 | 10 | :: | 4 | 17009 | | 4026531993 |
| 444 | 53 | 17 | 2 | 127.0.0.53 | 12 | 14909 | | 4026531993 |
| 405 | 58 | 255 | 10 | :: | 15 | 16039 | | 4026531993 |
要列出前 5 个最活跃的进程,请运行以下查询:
osquery> select count(pid) as total, name from processes group by name order by total desc limit 5;您应该得到以下输出:
+-------+---------+
| total | name |
+-------+---------+
| 4 | sshd |
| 3 | apache2 |
| 2 | systemd |
| 2 | bash |
| 2 | agetty |
+-------+---------+
结论
在上面的教程中,我们学习了如何在 Debian 10 中安装和使用 osquery。osquery 是查找系统中任何后门程序、恶意软件或任何僵尸进程的非常有用的工具。有关 osquery 的更多信息,请访问 osquery 文档页面。