Most of the flags and options needed to run both are the same, and you can launch osqueryi using the osqueryd configuration file, which is useful for customizing the interactive environment without using lots of command-line switches. They are separate but related tools that come together in one package. It's important to note that osqueryi doesn't talk to osqueryd in any way, which is to say that osqueryi isn't a client to osqueryd. You can also use it to start, stop, and restart the daemon. Installing osquery gives you access to three components: osqueryi, which is an interactive osquery shell and is useful as a test bed for performing ad hoc queries osqueryd, which is a daemon that runs scheduled queries in the background and osqueryctl, a helper script that will assist you by testing osquery's configuration. Once the repository has been enabled, you can simply grab the tool with yum: $ sudo yum install osquery $ sudo yum-config-manager -enable osquery-s3-rpm Now add and enable the repository with: $ sudo yum-config-manager -add-repo Now grab the GPG key for the tool's repository with: $ curl -L | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery If this is a pristine CentOS 7 installation, you'll have to update curl and a number of other packages with: $ sudo yum update curl nss nss-util nss-sysinit nss-tools In this tutorial, I'll install osquery on top of a CentOS 7 installation. You can also install it by adding its repository for your respective distribution. The tool is available as a source tarball along with pre-packed binaries for RPM- and DEB-based distributions. Loaded QuestionĪlthough osquery won't be available in your distribution's official repositories, installing it isn't much of an issue. The tool uses a high level of the SQLite dialect, which isn't too difficult to grasp, even for those unfamiliar with SQL. With these queries, you can check on running processes, loaded kernel modules, and active user accounts, and you can even monitor file integrity, check the status and configuration of the firewall, perform security audits of the target server, and lots more. In other words, osquery turns a Linux installation into one giant database, with tables that you can query using SQL-like statements. The osquery tool works across Linux, Windows, and macOS and exposes operating system configuration data in the form of relational database tables. Osquery is a cross-platform open source tool originally created by Facebook that, as its name suggests, is designed to query various details about the state of your machines. If you crave a unified interface for querying the different aspects of the operating system, you need osquery. The number of tools at your disposal quickly multiplies if you manage a network with various operating systems, and, while having access to several utilities sounds like a good thing, juggling them and their respective syntax is quite bothersome. Some tools, like top and ps, give a nice overview, whereas others, like ip, interface directly with the kernel. A Linux installation has many tools to query different aspects of the system.
0 Comments
Leave a Reply. |