Shulou(Shulou.com)06/01 Report--

Using OSQUERY as HIDS to detect system anomalies

A brief introduction

Osquery is facebook open source query, monitoring system software, the official website https://osquery.io

The commands often used by osquery are osqueyi and osqueryd.

Osqueryi   is the interactive shell of osquery. Through it, you can query system information like querying SQL. For example, query kernel module:

Osqueryd is the host monitoring daemon. Production is usually made in this way.

Summary of osquery configuration

1 osquery table, osquery has many built-in tables, through which the system information can be queried.

Briefly enumerate several tables and indicate their functions.

Arp_cache system arp cache

File_events monitors changes in files under the directory

Kernel_modules display kernel module

Last displays users who have successfully logged in

Load_average current system load

Users lists all users

Processes lists all processes

Listening_ports current listening port

Process_open_sockets network connection

The following figure shows the arp cache queried by osqueryi interactive shell, the current system load, and the system's current listening port.

If you want to query all tables, you can use osqueryi to interact with the .table query under shell

2 configuration

The default location for the configuration of osquery installed by linux through the rpm package on the official website is / etc/osquery/osquery.conf

The configuration format is in json format, and here is an example of the configuration:

{

"options": {

"config_plugin": "filesystem"

"logger_plugin": "filesystem"

"logger_path": "/ var/log/osquery"

"pidfile": "/ var/osquery/osquery.pidfile"

"worker_threads": "10"

"enable_monitor": "true"

}

"schedule": {

"system_info": {

"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;"

"interval": 3600

}

}

"packs": {

"secrity": "/ etc/osquery/secrity.conf"

"file": "/ etc/osquery/file.conf"

}

}

Among them, Options

Set some configurations for osquery daemon, log generation paths, threads, memory usage limits, and so on.

Schedule

Set up scheduled tasks

Packs

Packs can be thought of as a collection of schedule.

(3) File monitoring, file monitoring is divided into two parts. 1 configure the monitoring directory, 2 query the file_ event table.

The following is an example of querying files in the / root / home directory for the file_ event table every 300 seconds. The files in the / root or / home/ directory will alarm within 300 seconds if they change.

{

"schedule": {

"file_events": {

"query": "SELECT * FROM file_events;"

"removed": false

"interval": 300

}

}

"file_paths": {

"homes": [

"/ root/%%"

"/ home/%%"

]

}

}

4remote configuration.

Remote configuration is divided into two steps. 1 send host information to the server and register the host. 2 get the configuration from the server.

-- enroll_secret_path=/etc/osquery/server.pass

-- tls_server_certs=/etc/osquery/server.pem

-- tls_hostname=11.0.16.118:443

-- host_identifier=hostname

-- enroll_tls_endpoint=/enroll

-- config_plugin=tls

-- config_tls_endpoint=/config

-- config_tls_refresh=86400

-- enroll_secret_path needs to send a secret key to the server when registering the host.

-- when tls_server_certs uses remote configuration, it must use https protocol. The public key of the https site is configured here.

-- tls_hostname remote

-- host_identifier=hostname sends hostname to the server when registering the host

-- enroll_tls_endpoint obtains the URL of the registered host through tls

-- config_plugin sets config mode

-- URL when config_tls_endpoint gets the configuration through tls

-- how many seconds between config_tls_refresh will reacquire the configuration.

Three installation

1 this installation is configured locally and logs are recorded locally to achieve the following goals: process monitoring: processes with very short execution time, such as ls, also need to have logs.

Network monitoring: those that the server initiates to connect to other hosts need to be monitored.

Host arp cache: there is an alarm when the host arp cache changes.

File monitoring: alarm for changes in files in the specified directory.

Add user monitoring: add user alarm.

New monitoring for user groups: add user group alarms.

User password change monitoring: user password change alarm.

User login success monitoring: user login success alarm.

2.1 download

Wget https://pkg.osquery.io/rpm/osquery-4.0.2-1.linux.x86_64.rpm

2.2 install after the download is complete

Rpm-ivh osquery-4.0.2-1.linux.x86_64.rpm

2.3 modify the configuration file.

Osquery.conf is as follows:

{

"options": {

"config_plugin": "filesystem"

"logger_plugin": "filesystem"

"logger_path": "/ var/log/osquery"

"pidfile": "/ var/osquery/osquery.pidfile"

"worker_threads": "10"

"enable_monitor": "true"

}

"schedule": {

}

"packs": {

"secrity": "/ etc/osquery/secrity.conf"

"file": "/ etc/osquery/file.conf"

}

}

Osquery.flags file:

-- disable_audit=false

-- audit_allow_config=true

-- audit_allow_process_events=true

-- audit_allow_sockets=true

-- audit_persist=true

-- disable_events=false

-- events_max=50000

Secrity.conf file:

{

"queries": {

"processes_events": {

"query": "SELECT FROM process_events;"

"interval": 5

"removed": false

}

"socket_event": {

"query": "select from socket_events where family=2 and remote_address! = '0.0.0.0;"

"interval": 5

"removed": false

}

"arp_cache": {

"query": "SELECT FROM arp_cache;"

"interval": 5

"removed": false

}

"file_event": {

"query": "SELECT FROM file_events;"

"interval": 5

"removed": false

}

"users": {

"query": "SELECT FROM users;"

"interval": 5

"removed": false

}

"groups": {

"query": "SELECT FROM groups;"

"interval": 5

"removed": false

}

"shadow": {

"query": "SELECT FROM shadow;"

"interval": 5

"removed": false

}

"last": {

"query": "SELECT FROM last;"

"interval": 5

"removed": false

}

}

}

File.conf file:

{

"file_paths": {

"homes": [

"/ root/%%"

"/ home/%%"

]

"tmp": [

"/ tmp/%%"

]

}

}

2.4 check if there is a problem with the configuration. Osqueryctl config-check

2.5 start osquery: systemctl start osqueryd

2.6 observe whether the alarm is normal

You can see that pack_secrity_processes_events, pack_secrity_socket_event, pack_secrity_arp_cache and so on can all alarm normally.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.