Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Osquery on Linux to set file integrity monitoring", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "how to use Osquery on Linux to set file integrity monitoring" bar!

Osquery is a SQL driver operating system detection and analysis tool, which is created by Facebook and supports querying system metrics like SQL statements. It can be used in OSX and Linux operating systems.

Osquery is a multi-platform software that can be installed on Linux,Windows,MacOS and FreeBSD. It allows us to use SQL-based queries to handle operating system configuration files, performance, security checks, and so on.

In this tutorial, we will show you how to set up file integrity monitoring (FIM) using Osquery. The linux operating systems we use are Ubuntu 18.04 and CENTOS 7.

Conditions

Linux (Ubuntu or CentOS)

Root permission

Completed the first osquery guide

Step 1: install osquery on the Linux server

Osquery provides its own repository for all installation platforms, and the first step is to install the osquery package from the official osquery repository.

On Ubuntu

Add the osquery key to the system.

Export OSQUERY_KEY = 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B

Sudo apt-key adv-keyserver keyserver.ubuntu.com-recv-keys $OSQUERY_KEY

Add the osquery repository and install it.

Sudo add-apt-repository'deb [arch = amd64] https://pkg.osquery.io/deb deb

Main'sudo apt install osquery-y

On CentOS

Add the osquery key to the system.

Curl-L https://pkg.osquery.io/rpm/GPG | sudo tee / etc / pki / rpm-gpg / RPM-GPG-KEY-osquery

Add and enable the osquery repository, and then install the package.

Sudo yum-config-manager-- add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo

Sudo yum-config-manager-enable osquery-s3-rpm

Sudo yum install osquery-y

Waiting for all packages to be installed

Note: if you receive an error message about the yum-config-manager command.

Sudo: yum-config-manager: command not found

Install the 'yum-utils' package.

Yum- y install yum-utils

Step 2: enable Syslog Consumption for Osquery

Osquery provides features to read Syslog on Apple MacOS using Apple system Log (ASL) and syslog for Linux.

In this step, we will enable syslog consumption for osquery through rsyslog.

On Ubuntu

Install rsyslog using the following apt command

Sudo apt install rsyslog-y

On CentOS

Install the rsyslog package using the following yum command.

Sudo yum install rsyslog-y

After the installation is complete, change to the'/ etc/rsyslog.d' directory and create a new configuration file, osquery.conf.

Cd / etc/rsyslog.d/

Vim osquery.conf

Then paste the following configuration

Template (name = "OsqueryCsvFormat" type = "string" string = "% timestamp:: date-rfc3339,csv%,%hostname:: csv%,%syslogseverity:: csv%,%syslogfacility-text: csv%,%syslogtag:: csv%,%msg: csv%\ n") *. * action (type = "ompipe" Pipe = "/ var / osquery / syslog_pipe" template = "OsqueryCsvFormat")

Save and exit

Step 3: basic configuration of osquery

The default configuration of osquery is that 'osquery.conf', is usually located in the / etc / osquery' directory.

In this step, we will learn about the osquery configuration components, create a custom osquery configuration, and then deploy osqueryd as a service.

Osquery configurations formatted as JSON files include the following specifications:

Part of the Options:osqueryd CLI command that determines the startup and initialization of the application.

Schedule: define the Flow of the query name of the plan to the query details.

Decorators: used to add additional "decorations" to the results and snapshot logs.

Packs: a set of scheduling queries

More:File Path, YARA, Prometheus, Views, EC2, Chef Configuration .

Go to the'/ etc / osquery' directory and create a new custom configuration 'osquery.conf'.

Cd / etc / osquery /

Vim osquery.conf

Paste the following configuration.

{"options": {"config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/ var / log / osquery", "disable_logging": "false", "log_result_events": "true", "schedule_splay_percent": "10", "pidfile": "/ var / osquery / osquery.pidfile" "events_expiry": "3600", "database_path": "/ var / osquery / osquery.db", "verbose": "false", "worker_threads": "2", "enable_monitor": "true", "disable_events": "false", "disable_audit": "false", "audit_allow_config": "true" "host_identifier": "hakase-labs", "enable_syslog": "true", "syslog_pipe_path": "/ var / osquery / syslog_pipe", "force": "true", "audit_allow_sockets": "true", "schedule_default_interval": "3600"} "schedule": {"crontab": {"query": "SELECT * FROM crontab" "," interval ": 300}," system_info ": {" query ":" SELECT hostname,cpu_brand, physical_memory FROM system_info "," interval ": 3600}," ssh_login ": {" query ":" SELECT username,time,host FROM last WHERE type = 7 "," interval ": 3600}}," decorators ": {" load ": [" SELECT uuid AS host_uuid FROM system_info " "," SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1; "]}," packs ": {" osquery-monitoring ":" / usr / share / osquery / packages / osquery- monitoring.conf "}}

Save and exit

Note:

We use 'filesystem' as the configuration file and logger plug-in

Define the logger path to the'/ var / log / osquery' directory

Enable SysLog-PIP into the'/ Va/ysLogy/SySalpJixBube file.

In the scheduler, we define three queries to check crontab, system info, and ssh login.

Enable the osquery package named "osquery-monitoring" and place it in the'/ Ur/Stuts/OsQue/Pokes' directory.

Start osqueryd daemon service (to start it each time the system boots).

Systemctl start osqueryd

Systemctl enable osqueryd

Restart the rsyslog service

Systemctl restart rsyslog

The basic configuration of osquery is complete.

Step 4: use osquery profile Integrity Monitoring (FIM)

Osquery uses Linux and FSEvents to provide file integrity monitoring on Linux and MacOS Darwin. Simply put, it uses' file_path' to detect changes to any file in the definition directory, and then stores all activities in the file_ events table.

In this step, we will configure Osquery to use a custom FIM package to monitor important directories, such as HOST, SSH directories, and tmp and www web roots.

Change to the "/ usr/share/osquery/packs" directory and create a new package configuration file "fim.conf".

Cd / usr / share / osquery / packs

Vim fim.conf

The configuration is as follows:

{"queries": {"file_events": {"query": "SELECT * FROM file_events" "," removed ": false," interval ": 300}}," file_paths ": {" homes ": [" / root/.ssh/%% "," / home/%/.ssh/%% "]," etc ": [" / etc/%% "]," home ": [" / home/%% "] "tmp": ["/ tmp/%%"], "www": ["/ var/www/%%"]}}

Save and exit

Return to the'/ etc/osquery' configuration directory and edit the osquery.conf file.

Cd / etc/osquery/

Vim osquery.conf

Add the file integrity monitoring package configuration to 'packs'.

"packs": {"osquery-monitoring": "/ usr/share/osquery/packs/osquery-monitoring.conf", "fim": "/ usr/share/osquery/packs/fim.conf"}

Save and exit, and then restart the osqueryd service.

Systemctl restart osqueryd

Note: continue to use JSON linter "http://jsonlint.com/" to check the JSON configuration file to make sure there are no errors.

Step 5: test

We will test the file integrity monitoring package by creating a new file on the defined directories "home" and "www".

Go to the / var/www/ directory and create a new file called howtoforge.md.

Cd / var/www/

Touch howtoforge.md

Go to the'/ home / youruser / 'directory and create a new file called' hakase-labs.md'.

Cd / home / vagrant /

Touch hakase-labs.md

Check all log monitoring using the results log of osqueryi and osquery in real-time interaction mode.

Osqueryi

Run the following osqueryi command.

Osqueryi-config-path / etc/osquery/osquery.conf

Check all logs of file changes in the 'file_events' table.

For global changes.

Select * from file_events

For the 'home' directory.

Select target_path, category, action, atime, ctime, mtime from file_events WHERE category= "home"

For the 'www' web root directory.

Select target_path, category, action, atime, ctime, mtime from file_events WHERE category= "www"

Osqueryd result Log

Go to the'/ var / log / osquery' directory and you will get the 'osqueryd.results.log' file.

Cd / var / log / osquery /

Ls-lah osqueryd.results.log

Use the 'grep' command to filter osquery logs.

Grep-rin howtoforge.md osqueryd.results.log

Grep-rin hakase-labs.md osqueryd.results.log

You will see information about all the files that have been created

Using osquery to install and configure file integrity monitoring (FIM) on Linux Server Ubuntu and CentOS has completed successfully.

Thank you for your reading, the above is the content of "how to use Osquery on Linux to set file integrity monitoring". After the study of this article, I believe you have a deeper understanding of how to use Osquery on Linux to set file integrity monitoring, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.