{"id":10041,"date":"2021-08-13T21:09:57","date_gmt":"2021-08-13T18:09:57","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10041"},"modified":"2024-03-18T18:54:41","modified_gmt":"2024-03-18T15:54:41","slug":"install-osquery-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-osquery-on-rocky-linux-8\/","title":{"rendered":"Install Osquery on Rocky Linux 8"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install osquery on Rocky Linux 8.&nbsp;<a href=\"https:\/\/osquery.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Osquery<\/a>&nbsp;is an opensource tool that queries an operating system as if it were a relational database. It leverage SQL-like queries to gather Operating System information for performance, security, compliance audit analysis. It runs on multiple platforms such as Linux, FreeBSD, MacOS, Windows systems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Osquery on Rocky Linux 8<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Install Osquery YUM Repository<\/h3>\n\n\n\n<p>The default Rocky Linux repositories does not contain the osquery package.<\/p>\n\n\n\n<p>However, osquery publishes the stable releases to YUM repository. <\/p>\n\n\n\n<p>To add osquery YUM repository to Rocky Linux 8, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -L https:\/\/pkg.osquery.io\/rpm\/GPG | sudo tee \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-osquery<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf config-manager --add-repo https:\/\/pkg.osquery.io\/rpm\/osquery-s3-rpm.repo<\/code><\/pre>\n\n\n\n<p>This installs Osquery yum repository, and you can confirm by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf repolist | grep osquery<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>osquery-s3-rpm-repo             name=osquery RPM repository - x86_64<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Osquery<\/h3>\n\n\n\n<p>Once the repository is in place, you can then install Osquery by running the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf --enablerepo osquery-s3-rpm-repo install osquery -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Components of osquery<\/h3>\n\n\n\n<p>Osquery package installs three basic components;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>osqueryctl<\/code><\/strong>&nbsp;\u2013 This is an osquery helper script for testing osquery configuration\/deployment as well as managing the osqueryd service.<\/li>\n\n\n\n<li><code><strong>osqueryd<\/strong><\/code>&nbsp;\u2013 is an osquery daemon for scheduling queries and recording the changes in the state of OS.<\/li>\n\n\n\n<li><strong><code>osqueryi<\/code><\/strong>&nbsp;\u2013 is an osquery interactive shell. From the shell, you can run various queries to explore that state of your OS.<\/li>\n<\/ul>\n\n\n\n<p>In order to learn the usage of the commands above, you can pass the -h\/\u2013help option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osqueryctl -h<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Usage: \/usr\/bin\/osqueryctl {clean|config-check|start|stop|status|restart}<\/code><\/pre>\n\n\n\n<p>For example to start, stop and restart osqueryd using osqueryctl, run the commands;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osqueryctl start osqueryd<\/code><\/pre>\n\n\n\n<pre id=\"block-1bd97d05-61ba-4e2f-9d1c-80d57fda865f\" class=\"wp-block-preformatted\">osqueryctl stop osqueryd<\/code><\/pre>\n\n\n\n<pre id=\"block-dcf24eef-4963-45c6-9b43-ac12d2fdbfa5\" class=\"wp-block-preformatted\">osqueryctl restart osqueryd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Osquery on Rocky Linux 8<\/h3>\n\n\n\n<p>Osquery can be run:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>in standalone mode using the <strong><code>osqueryi<\/code><\/strong> or <\/li>\n\n\n\n<li>as service using <strong><code>osqueryd<\/code><\/strong><\/li>\n<\/ul>\n\n\n\n<p>In this guide, we are going to focus on how to use the osquery interactive shell to query various system activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running osquery in standalone mode<\/h3>\n\n\n\n<p>When&nbsp;<strong><code>osqueryi<\/code><\/strong>&nbsp;is run without any arguments, it takes you to the interactive shell prompt;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osqueryi<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Using a virtual database. Need help, type '.help'<br>osquery&gt;<\/code><\/pre>\n\n\n\n<p>You can obtain help by typing&nbsp;<strong><code>.help<\/code><\/strong>&nbsp;on the shell prompt. <strong>Notice the dot (.)<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osquery&gt; .help<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nWelcome to the osquery shell. Please explore your OS!\nYou are connected to a transient 'in-memory' virtual database.\n\n.all [TABLE]     Select all from a table\n.bail ON|OFF     Stop after hitting an error\n.connect PATH    Connect to an osquery extension socket\n.disconnect      Disconnect from a connected extension socket\n.echo ON|OFF     Turn command echo on or off\n.exit            Exit this program\n.features        List osquery's features and their statuses\n.headers ON|OFF  Turn display of headers on or off\n.help            Show this message\n.mode MODE       Set output mode where MODE is one of:\n                   csv      Comma-separated values\n                   column   Left-aligned columns see .width\n                   line     One value per line\n                   list     Values delimited by .separator string\n                   pretty   Pretty printed SQL results (default)\n.nullvalue STR   Use STRING in place of NULL values\n.print STR...    Print literal STRING\n.quit            Exit this program\n.schema [TABLE]  Show the CREATE statements\n.separator STR   Change separator used by output mode\n.socket          Show the local osquery extensions socket path\n.show            Show the current values for various settings\n.summary         Alias for the show meta command\n.tables [TABLE]  List names of tables\n.types [SQL]     Show result of getQueryColumns for the given query\n.width [NUM1]+   Set column widths for \"column\" mode\n.timer ON|OFF      Turn the CPU timer measurement on or off\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Listing Osquery system Information tables<\/h4>\n\n\n\n<p>Osquery converts various OS attributes into tabular like database concepts. Hence, to list tables from which various system information is stored, run the&nbsp;<code><strong>.tables<\/strong><\/code>&nbsp;command within the&nbsp;<strong>osqueryi<\/strong>&nbsp;prompt.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong><code>osqueryi<\/code><\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osquery&gt; .tables<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n=&gt; acpi_tables\n=&gt; apt_sources\n=&gt; arp_cache\n=&gt; augeas\n=&gt; authorized_keys\n=&gt; block_devices\n=&gt; carbon_black_info\n=&gt; carves\n=&gt; chrome_extensions\n=&gt; cpu_time\n\u2026\n=&gt; time\n=&gt; uptime\n=&gt; usb_devices\n=&gt; user_events\n=&gt; user_groups\n=&gt; user_ssh_keys\n=&gt; users\n=&gt; yara\n=&gt; yara_events\n=&gt; yum_sources\nosquery&gt;\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Querying Osquery system tables<\/h4>\n\n\n\n<p>For example purposes, let us see what is contained on some of the tables;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select * from os_version;<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+\n| name        | version                                  | major | minor | patch | build | platform | platform_like | codename | arch   |\n+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+\n| Rocky Linux | Rocky Linux release 8.4 (Green Obsidian) | 8     | 4     | 0     |       | rhel     | rhel          |          | x86_64 |\n+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+\n<\/code><\/pre>\n\n\n\n<p>To query system users whose uid is greater than 1000,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select * from users where uid &gt;=1000;<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+\n| uid   | gid   | uid_signed | gid_signed | username  | description          | directory       | shell         | uuid |\n+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+\n| 65534 | 65534 | 65534      | 65534      | nobody    | Kernel Overflow User | \/               | \/sbin\/nologin |      |\n| 1000  | 1000  | 1000       | 1000       | kifarunix |                      | \/home\/kifarunix | \/bin\/bash     |      |\n+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+\n<\/code><\/pre>\n\n\n\n<p>To list all logged in users;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select user,tty,host,time from logged_in_users where tty not like '~';<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n+-----------+-------+--------------+------------+\n| user      | tty   | host         | time       |\n+-----------+-------+--------------+------------+\n| kifarunix | tty1  |              | 1628876993 |\n| root      | pts\/0 | 192.168.60.1 | 1628875575 |\n+-----------+-------+--------------+------------+\n<\/code><\/pre>\n\n\n\n<p>Check system uptime;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select * from uptime;<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n+------+-------+---------+---------+---------------+\n| days | hours | minutes | seconds | total_seconds |\n+------+-------+---------+---------+---------------+\n| 0    | 4     | 21      | 49      | 4909          |\n+------+-------+---------+---------+---------------+\n<\/code><\/pre>\n\n\n\n<p>To show network interfaces and IP addresses;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n+-----------+----------------------------------+-----------------------+\n| interface | address                          | mask                  |\n+-----------+----------------------------------+-----------------------+\n| enp0s3    | 10.0.2.15                        | 255.255.255.0         |\n| enp0s8    | 192.168.60.19                    | 255.255.255.0         |\n| enp0s3    | fe80::689b:622:1eaf:287a%enp0s3  | ffff:ffff:ffff:ffff:: |\n| enp0s8    | fe80::301d:abeb:ad8b:6c56%enp0s8 | ffff:ffff:ffff:ffff:: |\n+-----------+----------------------------------+-----------------------+\n<\/code><\/pre>\n\n\n\n<p>See the Osquery tables columns on <a href=\"https:\/\/osquery.io\/schema\/4.9.0\/#rpm_packages\" target=\"_blank\" rel=\"noreferrer noopener\">osquery Schemas page<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Osquery command output view modes<\/h3>\n\n\n\n<p>The osquery command output view mode can be changed by running the command,&nbsp;<code>.mode MODE<\/code>&nbsp;from within the&nbsp;<strong><code>osqueryi<\/code><\/strong>&nbsp;shell prompt, where MODE can be&nbsp;<strong><code>line<\/code><\/strong>,&nbsp;<code><strong>csv<\/strong><\/code>,&nbsp;<code><strong>pretty<\/strong><\/code>&nbsp;(default),&nbsp;<code><strong>column<\/strong><\/code>,&nbsp;<strong><code>list<\/code><\/strong>.<\/p>\n\n\n\n<p>For example to set the view to line mode;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osquery&gt; <strong>.mode line<\/strong><\/code><\/pre>\n\n\n\n<p>The when you run the queries, output is produced line by line;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>SELECT * FROM system_info;<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n          hostname = rocky8.kifarunix-demo.com\n              uuid = 85dd4d36-5e88-864a-b6e8-1919f794534a\n          cpu_type = x86_64\n       cpu_subtype = 142\n         cpu_brand = Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz\ncpu_physical_cores = 1\n cpu_logical_cores = 1\n     cpu_microcode = \n   physical_memory = 848629760\n   hardware_vendor = innotek GmbH\n    hardware_model = VirtualBox\n  hardware_version = 1.2\n   hardware_serial = 0\n      board_vendor = Oracle Corporation\n       board_model = VirtualBox\n     board_version = 1.2\n      board_serial = 0\n     computer_name = rocky8.kifarunix-demo.com\n    local_hostname = rocky8.kifarunix-demo.com\n<\/code><\/pre>\n\n\n\n<p>List installed system packages;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>select * from rpm_packages top limit 3;<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n         name = NetworkManager\n      version = 1.30.0\n      release = 10.el8_4\n       source = NetworkManager-1.30.0-10.el8_4.src.rpm\n         size = 7215759\n         sha1 = f910dc05b56f78fcec2386ac164fcba0316299fa\n         arch = x86_64\n        epoch = 1\n install_time = 1628844768\n       vendor = Rocky\npackage_group = System Environment\/Base\n\n         name = NetworkManager-libnm\n      version = 1.30.0\n      release = 10.el8_4\n       source = NetworkManager-1.30.0-10.el8_4.src.rpm\n         size = 9262984\n         sha1 = 25eb93263187481d1475d2dd5b25d8639808e04a\n         arch = x86_64\n        epoch = 1\n install_time = 1628844766\n       vendor = Rocky\npackage_group = Development\/Libraries\n\n         name = NetworkManager-team\n      version = 1.30.0\n      release = 10.el8_4\n       source = NetworkManager-1.30.0-10.el8_4.src.rpm\n         size = 49616\n         sha1 = f8a8fbd59ba1a1901e27ab2833aa8705902965c6\n         arch = x86_64\n        epoch = 1\n install_time = 1628844958\n       vendor = Rocky\npackage_group = System Environment\/Base\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Exit Osquery Interactive shell<\/h4>\n\n\n\n<p>To exit osqueri interactive shell, osquery&gt;, use the command&nbsp;<code><strong>.exit<\/strong><\/code>&nbsp;or simply press&nbsp;<strong><code>Control+d<\/code><\/strong>&nbsp;keyboard combination keys.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>osquery&gt; <strong>.exit<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Osquery as a service<\/h3>\n\n\n\n<p><code><strong>osqueryd<\/strong><\/code>&nbsp;is an osquery daemon for scheduling queries and recording the changes in the state of OS. You can use this daemon to run Osquery a service.<\/p>\n\n\n\n<p>For this to work, you need to copy the sample Osquery configuration to&nbsp;<code><strong>\/etc\/osquery<\/strong><\/code>&nbsp;directory as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/usr\/share\/osquery\/osquery.example.conf \/etc\/osquery\/osquery.conf<\/code><\/pre>\n\n\n\n<p>Next, that the service;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start osqueryd<\/code><\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status osqueryd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf osqueryd.service - The osquery Daemon\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/osqueryd.service; disabled; vendor preset: disabled)\n   Active: active (running) since Fri 2021-08-13 21:03:04 EAT; 5s ago\n  Process: 2244 ExecStartPre=\/bin\/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0\/SUCCESS)\n  Process: 2241 ExecStartPre=\/bin\/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0\/SUCCESS)\n Main PID: 2245 (osqueryd)\n    Tasks: 14 (limit: 4938)\n   Memory: 9.5M\n   CGroup: \/system.slice\/osqueryd.service\n           \u251c\u25002245 \/usr\/bin\/osqueryd --flagfile \/etc\/osquery\/osquery.flags --config_path \/etc\/osquery\/osquery.conf\n           \u2514\u25002248 \/usr\/bin\/osqueryd\n\nAug 13 21:03:04 rocky8.kifarunix-demo.com systemd[1]: Starting The osquery Daemon...\nAug 13 21:03:04 rocky8.kifarunix-demo.com systemd[1]: Started The osquery Daemon.\nAug 13 21:03:04 rocky8.kifarunix-demo.com osqueryd[2245]: osqueryd started [version=4.9.0]\nAug 13 21:03:07 rocky8.kifarunix-demo.com osqueryd[2245]: I0813 21:03:07.644742  2248 eventfactory.cpp:156] Event\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/osquery.readthedocs.io\/en\/4.6.0\/\" target=\"_blank\" rel=\"noreferrer noopener\">Osquery Documentation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-redmine-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Redmine on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-redmine-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Redmine on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-webmin-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Webmin on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-snmp-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure SNMP on Rocky Linux 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install osquery on Rocky Linux 8.&nbsp;Osquery&nbsp;is an opensource tool that queries an operating system as<\/p>\n","protected":false},"author":3,"featured_media":10042,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,72,34],"tags":[3951,3953,1066,3587,3952],"class_list":["post-10041","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-monitoring","category-security","tag-install-osquery-rocky-linux-8","tag-osqeury-install-on-rocky-linux","tag-osquery","tag-rocky-linux-8","tag-rocky-linux-osquery","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10041"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10041"}],"version-history":[{"count":2,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10041\/revisions"}],"predecessor-version":[{"id":21695,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10041\/revisions\/21695"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10042"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}