{"id":2099,"date":"2019-01-19T16:36:19","date_gmt":"2019-01-19T13:36:19","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2099"},"modified":"2024-03-11T22:03:05","modified_gmt":"2024-03-11T19:03:05","slug":"how-to-install-osquery-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-osquery-on-ubuntu-18-04\/","title":{"rendered":"How to Install Osquery on Ubuntu 18.04"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install osquery on Ubuntu 18.04. <a href=\"https:\/\/osquery.io\/\" target=\"_blank\" rel=\"noopener noreferrer\">Osquery<\/a> is an opensource tool that queries an operating system as if it were a relational database. It leverage SQL-like queries to gather Operating System information for performance, security, compliance audit analysis. It runs on multiple platforms such as Linux, FreeBSD, MacOS, Windows systems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Osquery on Ubuntu 18.04<\/h2>\n\n\n\n<p>The default Ubuntu repositories does not contain the osquery package. However, osquery publishes an&nbsp;apt repository for each stable release. To add osquery apt repository to Ubuntu 18.04, create the osquery source list;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"deb [arch=amd64] https:\/\/pkg.osquery.io\/deb deb main\" | sudo tee \/etc\/apt\/sources.list.d\/osquery.list<\/pre>\n\n\n\n<p>Import the repository signing keys<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B<\/pre>\n\n\n\n<p>Update your system packages<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt update<\/pre>\n\n\n\n<p>Once the update is done, install osquery.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install osquery<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Components of osquery<\/h2>\n\n\n\n<p>Osquery package installs three basic components;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>osqueryctl<\/code> &#8211; This is an osquery helper script for testing osquery configuration\/deployment as well as managing the osqueryd service.<\/li>\n\n\n\n<li><code>osqueryd<\/code> &#8211; is an osquery daemon for scheduling queries and recording the changes in the state of OS.<\/li>\n\n\n\n<li><code>osqueryi<\/code> &#8211; is an osquery interactive shell. From the shell, you can run various queries to explore that state of your OS.<\/li>\n<\/ul>\n\n\n\n<p>In order to learn the usage of the commands above, you can pass the <code>-h\/--help<\/code> option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osqueryctl -h<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">Usage: \/usr\/bin\/osqueryctl {clean|config-check|start|stop|status|restart}<\/pre>\n\n\n\n<p>For example to start, stop and restart osqueryd using <code>osqueryctl<\/code>, run the commands;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osqueryctl start osqueryd\nosqueryctl stop osqueryd\nosqueryctl restart osqueryd<\/pre>\n\n\n\n<p>Osquery can be run in standalone mode using the <code>osqueryi<\/code> or it can be run as service using <code>osqueryd<\/code>. In this guide, we are going to focus on how to use the osquery interactive shell to query various system activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running osquery in standalone mode<\/h3>\n\n\n\n<p>When <code>osqueryi<\/code> is run without any arguments, it takes you to the interactive shell prompt;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osqueryi<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">Using a virtual database. Need help, type '.help'\nosquery&gt;<\/pre>\n\n\n\n<p>You can obtain help by typing <code>.help<\/code> on the shell prompt.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; .help<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">Welcome to the osquery shell. Please explore your OS!\nYou are connected to a transient 'in-memory' virtual database.\n\n.all [TABLE]     Select all from a table\n.bail ON|OFF     Stop after hitting an error\n.echo ON|OFF     Turn command echo on or off\n...\nosquery&gt;<\/pre>\n\n\n\n<p>Various OS attributes have been converted into tabular like database concepts. Hence, to list tables from which various system information is stored, run the <code>.tables<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; .tables<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">  =&gt; acpi_tables\n  =&gt; apt_sources\n  =&gt; arp_cache\n  =&gt; augeas\n  =&gt; authorized_keys\n  =&gt; block_devices\n  =&gt; carbon_black_info\n  =&gt; carves\n  =&gt; chrome_extensions\n  =&gt; cpu_time\n...\n  =&gt; time\n  =&gt; uptime\n  =&gt; usb_devices\n  =&gt; user_events\n  =&gt; user_groups\n  =&gt; user_ssh_keys\n  =&gt; users\n  =&gt; yara\n  =&gt; yara_events\n  =&gt; yum_sources\nosquery&gt;<\/pre>\n\n\n\n<p>For example purposes, let us see what is contained on some of the tables;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select * from os_version;\n+--------+-----------------------------+-------+-------+-------+-------+----------+---------------+----------+\n| name   | version                     | major | minor | patch | build | platform | platform_like | codename |\n+--------+-----------------------------+-------+-------+-------+-------+----------+---------------+----------+\n| Ubuntu | 18.04.1 LTS (Bionic Beaver) | 18    | 4     | 0     |       | ubuntu   | debian        | bionic   |\n+--------+-----------------------------+-------+-------+-------+-------+----------+---------------+----------+\nosquery&gt;<\/pre>\n\n\n\n<p>To query non system users,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select * from users where uid &gt;=1000;\n+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+\n| uid   | gid   | uid_signed | gid_signed | username | description | directory    | shell             | uuid |\n+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+\n| 65534 | 65534 | 65534      | 65534      | nobody   | nobody      | \/nonexistent | \/usr\/sbin\/nologin |      |\n| 1000  | 1000  | 1000       | 1000       | amos     | amos,,,     | \/home\/amos   | \/bin\/bash         |      |\n+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+\nosquery&gt;<\/pre>\n\n\n\n<p>To check logged in users;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select user,host,time from logged_in_users where tty not like '~';\n+-------+----------------+------------+\n| user  | host           | time       |\n+-------+----------------+------------+\n| root  | 192.168.43.149 | 1547894367 |\n| amos  | 192.168.43.149 | 1547902074 |\n+-------+----------------+------------+\nosquery&gt;<\/pre>\n\n\n\n<p>Check system uptime;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select * from uptime;\n+------+-------+---------+---------+---------------+\n| days | hours | minutes | seconds | total_seconds |\n+------+-------+---------+---------+---------------+\n| 0    | 4     | 35      | 32      | 16532         |\n+------+-------+---------+---------+---------------+\nosquery&gt;<\/pre>\n\n\n\n<p>To show network interfaces and IP addresses;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">+-----------+----------------------------------+-----------------------+\n| interface | address                          | mask                  |\n+-----------+----------------------------------+-----------------------+\n| enp0s3    | 10.0.2.15                        | 255.255.255.0         |\n| enp0s8    | 192.168.56.160                   | 255.255.255.0         |\n| enp0s3    | fe80::3760:84e7:7371:50a1%enp0s3 | ffff:ffff:ffff:ffff:: |\n| enp0s8    | fe80::ccd8:e5fe:851:c19c%enp0s8  | ffff:ffff:ffff:ffff:: |\n+-----------+----------------------------------+-----------------------+<\/pre>\n\n\n\n<p>The view mode can be changed by running the command, <code>.mode MODE<\/code> where MODE can be line, csv, pretty (default), column, list. For example to set the view to line mode;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; .mode line<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; SELECT * FROM system_info;\n          hostname = u18svr.example.com\n              uuid = 9F23F1AC-B198-4EB6-8363-1ED87FB8B43E\n          cpu_type = 6\n       cpu_subtype = 69\n         cpu_brand = Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz\ncpu_physical_cores = 1\n cpu_logical_cores = 1\n     cpu_microcode = \n   physical_memory = 2090295296\n   hardware_vendor = innotek GmbH\n    hardware_model = VirtualBox\n  hardware_version = 1.2\n   hardware_serial = 0\n     computer_name = u18svr\n    local_hostname = u18svr.example.com<\/pre>\n\n\n\n<p>List install packages;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">osquery&gt; select * from deb_packages top limit 3;\n    name = accountsservice\n version = 0.6.45-1ubuntu1\n  source = \n    size = 440\n    arch = amd64\nrevision = 1ubuntu1\n\n    name = adduser\n version = 3.116ubuntu1\n  source = \n    size = 624\n    arch = all\nrevision = \n\n    name = amd64-microcode\n version = 3.20180524.1~ubuntu0.18.04.2\n  source = \n    size = 75\n    arch = amd64\nrevision = \nosquery&gt;<\/pre>\n\n\n\n<p>Beautiful, isn&#8217;t it?. Feel free to explore all the other tables.<\/p>\n\n\n\n<p>You can read more about osquery <a href=\"https:\/\/osquery.readthedocs.io\/en\/stable\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a title=\"Install and Setup Kolide Fleet on Ubuntu 18.04\" href=\"https:\/\/kifarunix.com\/install-and-setup-kolide-fleet-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Install and Setup Kolide Fleet on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a title=\"Install Kolide Fleet Osquery Fleet Manager on Debian 10\" href=\"https:\/\/kifarunix.com\/install-kolide-fleet-osquery-fleet-manager-on-debian-10\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Install Kolide Fleet Osquery Fleet Manager on Debian 10<\/a><\/p>\n\n\n\n<p><a title=\"Install Osquery on Debian 10 Buster\" href=\"https:\/\/kifarunix.com\/install-osquery-on-debian-10-buster\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Install Osquery on Debian 10 Buster<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install osquery on Ubuntu 18.04. Osquery is an opensource tool that queries an operating system<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,1065,34],"tags":[3170,3173,3171,3172],"class_list":["post-2099","post","type-post","status-publish","format-standard","hentry","category-monitoring","category-howtos","category-osquery","category-security","tag-install-osquery-ubuntu","tag-install-osquery-ubuntu-18-04","tag-osquery-ubuntu","tag-ubuntu-18-04-osquery","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2099"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2099"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2099\/revisions"}],"predecessor-version":[{"id":21092,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2099\/revisions\/21092"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}