Running a process and disappearing is a common approach of malicious actors, and if your system isn’t compromised, it shouldn’t return anything. Lists all processes of which the binary which launched them no longer exists on disk. Malicious Actors ExampleĪs per their announcement post, the query: SELECT name, path, pid FROM processes WHERE on_disk = 0 You can list all available tables by just executing. You should see something like this happen: Paste the following into the console and execute it: SELECT * FROM users Enter the interactive console by executing osqueryi. If you need packages for other operating systems, the procedure is exactly the same with minimal alterations – just follow the instructions. We can even install it into the very OS that built it. deb file over, and running the above command. Installing it into any of your Ubuntu 14.04 machines is now as simple as copying the. To install this, we can use the default Debian Package Management System: sudo dpkg -i osquery - 0.0. You should then be able to see the package in /vagrant/build/linux/osquery-0.0. Then, we tell it to wrap itself into an installable package. This will update the Ubuntu instance and download everything OSQuery needs to build itself. This is a strange hiccup that warrants further investigation, and I’ll post back if I find any real workarounds or if the issue is fixed. Just re-run the provision script after it fails to complete, and it should work. Note that if you’re on Windows, the famous symlink error will rear its ugly head again. In our case, that’ll be vagrant ssh ubuntu14 Otherwise, it’ll download the image which might take a while, and then create the virtual machine. If your copy of Vagrant has an Ubuntu14 image downloaded from before, you should be up and running in a minute tops. Make sure you have Git, Vagrant and Virtualbox installed on your main machine, and execute the following: git clone This might sound more complicated than it really is, so let’s do the step by step dance. deb file onto the target machine), rather than a remote repository as usual. However, since OSQuery is not in the official repos for these types of distributions yet, we’ll need to build the package manually, and then install it from a local location (by copying a. Typically, you install software via a package manager such as Aptitude by issuing a command like apt-get install. Let’s imagine we have an Ubuntu 14.04 machine onto which we’d like to install OSQuery. The installation process is somewhat convoluted if you’ve never used VMs, so let’s break it down. If you’re not familiar with Vagrant, and you really should be, see our posts on the topic here. OSQuery provides a default Vagrant configuration for you to use for building the package which you’ll eventually distribute across all other machines you’d like it installed on. The documentation is very good, so conquering every aspect of OSQuery is as simple as dedicating an afternoon to it. The software is installed via (currently) self-built packages for all supported operating systems, and comes with osqueryi – an interactive console for playing around with the queries – and osqueryd – a daemon you can schedule to run regularly and aggregate data across monitored machines, for example. The team is adding new tables regularly, so even if you don’t feel like contributing but still want to use some missing ones, there’s a high chance they’ll pop up if you give it some time. It’s fully open source, and there’s even a guide on creating your own tables, in case some are missing and you need them. OSQuery works on CentOS, Ubuntu, and OS X, thus supporting your production servers, your development playbox, and the operating systems of any other machine you have access to, like your children’s or your employees’s – allowing you to use it to monitor the OS status of your entire ecosystem. If you ever ran into a situation where you couldn’t run Apache because a port was already taken and you had to go and grep the process list, only to find out a dead instance of Skype is hogging port 80, you’ll know to appreciate the simplicity of OSQuery. In a nutshell, OSQuery pretends to be a relational database and contains some “tables” (tables in quotes because they don’t actually exist as tables you’re used to in, for example, MySQL) which expose the OS data in a manner that makes it queryable by SQL statements (yes, including joins and the whole lot!). I won’t regurgitate their announcement post – for implementation details see there.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |