OsqueryPermalink to this headline
ThreatLockDown module that allows managing the Osquery tool from the ThreatLockDown agents. It allows setting the Osquery configuration and collecting the information generated by Osquery to send it to the manager, generating the corresponding alerts if necessary.
How it worksPermalink to this headline
Osquery can be used to expose an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.
Below you can see some examples of the queries you can make:
List all the local users of the machine.
SELECT * FROM users;
Get the process name, port, and PID, for processes listening on all interfaces.
SELECT DISTINCT processes.name, listening_ports.port, processes.pid
FROM listening_ports JOIN processes USING (pid)
WHERE listening_ports.address = '0.0.0.0';
Check the processes that have a deleted executable.
SELECT * FROM processes WHERE on_disk = 0;
A complete list of all the available tables can be found here.
ConfigurationPermalink to this headline
You need a working Osquery installation in your system. See downloads page for details.
Red Hat, CentOS and Fedora:
For some distributions, you might need to install
yum-utils
first.
# curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# yum-config-manager --enable osquery-s3-rpm-repo
# yum install osquery
Debian and Ubuntu based Linux distributions:
# export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
# add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
# apt-get update
# apt-get install osquery
Once installed, you will need a configuration file for Osquery. If you don't have any, you can use the following one provided by Osquery:
# cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
Or you can copy our custom configuration in /etc/osquery/osquery.conf
:
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
}
},
"packs": {
"osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
"it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
"vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf",
"ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf"
}
}
After this enable and start the osquery Daemon:
systemctl enable osqueryd
systemctl start osqueryd
And the osquery module must be enabled for the agents where the osquery is running by adding:
<wodle name="osquery"/>
To their /var/ossec/etc/ossec.conf
file or through centralized configuration
Note
More options may be specified as shown in the osquery configuration reference
As you can see in this sample configuration, system_info
, high_load_average
and low_free_memory
queries will be executed every hour.
Furthermore, this configuration uses some default packs such as osquery-monitoring
, hardware-monitoring
or ossec-rootkit
among others. You can define your own packs and use them with this wodle.
Alert examplesPermalink to this headline
Sample alert in log format:
And the same alert in JSON
format:
Note
If more than one report with the same content is received, only one alert will be generated the first time. The rest will be discarded.