{"id":3976,"date":"2019-08-12T14:45:45","date_gmt":"2019-08-12T11:45:45","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3976"},"modified":"2024-03-12T07:36:25","modified_gmt":"2024-03-12T04:36:25","slug":"install-osquery-on-debian-10-buster","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-osquery-on-debian-10-buster\/","title":{"rendered":"Install Osquery on Debian 10 Buster"},"content":{"rendered":"\n

In this guide, we are going to learn how to install osquery on Debian 10 Buster. Osquery<\/a> is an opensource tool that queries an operating system as if it were a relational database. It leverage SQL-like queries to gather Operating System information for performance, security, compliance audit analysis. It runs on multiple platforms such as Linux, FreeBSD, MacOS, Windows systems.<\/p>\n\n\n\n

Installing Osquery on Debian 10 Buster<\/h2>\n\n\n\n

Install Osquery APT Repository<\/h3>\n\n\n\n

The default Debian 10 repositories does not contain the osquery package. However, osquery publishes an apt repository for each stable release.<\/p>\n\n\n\n

Import and install the osquery repository signing keys.<\/p>\n\n\n\n

sudo apt update -y && sudo apt install gnupg2 vim -y<\/code><\/pre>\n\n\n\n
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B<\/code><\/pre>\n\n\n\n
Next install osquery APT repo on Debian 10 Buster.<\/p>\n\n\n\n
sudo apt install software-properties-common -y<\/code><\/pre>\n\n\n\n
echo 'deb [arch=amd64] https:\/\/pkg.osquery.io\/deb deb main' | sudo tee \/etc\/apt\/sources.list.d\/osquery.list<\/code><\/pre>\n\n\n\n
Update your system packages<\/p>\n\n\n\n
sudo apt update<\/code><\/pre>\n\n\n\n
Install Osquery<\/h3>\n\n\n\n
Once the update is done, install osquery.<\/p>\n\n\n\n
sudo apt install osquery<\/code><\/pre>\n\n\n\n
Components of osquery<\/h2>\n\n\n\n
Osquery package installs three basic components;<\/p>\n\n\n\n
    \n
  • osqueryctl<\/code> \u2013 This is an osquery helper script for testing osquery configuration\/deployment as well as managing the osqueryd service.<\/li>\n\n\n\n
  • osqueryd<\/code> \u2013 is an osquery daemon for scheduling queries and recording the changes in the state of OS.<\/li>\n\n\n\n
  • osqueryi<\/code> \u2013 is an osquery interactive shell. From the shell, you can run various queries to explore that state of your OS.<\/li>\n<\/ul>\n\n\n\n
    In order to learn the usage of the commands above, you can pass the -h\/--help<\/code> option. For example, to obtain osqueryctl<\/strong> help;<\/p>\n\n\n\n
    osqueryctl -h<\/code><\/pre>\n\n\n\n
    Usage: \/usr\/bin\/osqueryctl {clean|config-check|start|stop|status|restart}<\/code><\/pre>\n\n\n\n
    For example to start, stop and restart osqueryd using osqueryctl<\/code>, run the commands;<\/p>\n\n\n\n
    osqueryctl start osqueryd<\/code><\/pre>\n\n\n\n
    osqueryctl stop osqueryd<\/code><\/pre>\n\n\n\n
    osqueryctl restart osqueryd<\/code><\/pre>\n\n\n\n
    Executing Osquery SQL queries<\/h3>\n\n\n\n
    Osquery can be run in standalone mode using the osqueryi<\/code> or it can be run as service using osqueryd<\/code>. In this guide, we are going to focus on how to use the osquery interactive shell to query various system activities.<\/p>\n\n\n\n
    Running osquery in standalone mode<\/h3>\n\n\n\n
    When osqueryi<\/code> is run without any arguments, it takes you to the interactive shell prompt;<\/p>\n\n\n\n
    osqueryi<\/code><\/pre>\n\n\n\n
    Using a virtual database. Need help, type '.help'\nosquery><\/code><\/pre>\n\n\n\n
    You can obtain help within the osquery shell prompt by typing .help<\/code> on the shell prompt.<\/p>\n\n\n\n
    \nWelcome to the osquery shell. Please explore your OS!\nYou are connected to a transient 'in-memory' virtual database.\n\n.all [TABLE]     Select all from a table\n.bail ON|OFF     Stop after hitting an error\n.connect PATH    Connect to an osquery extension socket\n.disconnect      Disconnect from a connected extension socket\n.echo ON|OFF     Turn command echo on or off\n.exit            Exit this program\n.features        List osquery's features and their statuses\n.headers ON|OFF  Turn display of headers on or off\n.help            Show this message\n.mode MODE       Set output mode where MODE is one of:\n                   csv      Comma-separated values\n                   column   Left-aligned columns see .width\n                   line     One value per line\n                   list     Values delimited by .separator string\n                   pretty   Pretty printed SQL results (default)\n.nullvalue STR   Use STRING in place of NULL values\n.print STR...    Print literal STRING\n.quit            Exit this program\n.schema [TABLE]  Show the CREATE statements\n.separator STR   Change separator used by output mode\n.socket          Show the local osquery extensions socket path\n.show            Show the current values for various settings\n.summary         Alias for the show meta command\n.tables [TABLE]  List names of tables\n.types [SQL]     Show result of getQueryColumns for the given query\n.width [NUM1]+   Set column widths for \"column\" mode\n.timer ON|OFF      Turn the CPU timer measurement on or off\n<\/code><\/pre>\n\n\n\n
    osqueryi<\/strong> accepts several meta-commands, prefixed with a dot (.<\/strong>).<\/p>\n\n\n\n
    With osquery, various OS attributes have been converted into tabular like database concepts. Hence, to list tables from which various system information is stored, run the .tables<\/code> command. For example;<\/p>\n\n\n\n
    \nosquery> .tables\n   => acpi_tables\n   => apt_sources\n   => arp_cache\n   => augeas\n   ...\n   => ssh_configs\n   => sudoers\n   => suid_bin\n   => syslog_events\n   => system_controls\n   => system_info\n   => time\n   => ulimit_info\n   => uptime\n   => usb_devices\n   => user_events\n   => user_groups\n   => user_ssh_keys\n   => users\n   => yara\n   => yara_events\n   => yum_sources\nosquery>\n<\/code><\/pre>\n\n\n\n
    For example purposes, let us see what is contained on some of the tables, say the sudoers<\/strong> table.<\/p>\n\n\n\n
    \nosquery> select * from sudoers;\n+----------+----------------------------------------------------------------------------+\n| header   | rule_details                                                               |\n+----------+----------------------------------------------------------------------------+\n| Defaults | env_reset                                                                  |\n| Defaults | mail_badpass                                                               |\n| Defaults | secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\" |\n| root     | ALL=(ALL:ALL) ALL                                                          |\n| %sudo    | ALL=(ALL:ALL) ALL                                                          |\n+----------+----------------------------------------------------------------------------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    \nosquery> select * from sudoers where header like '%root';\n+--------+-------------------+\n| header | rule_details      |\n+--------+-------------------+\n| root   | ALL=(ALL:ALL) ALL |\n+--------+-------------------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    To query only top 5 system users,<\/p>\n\n\n\n
    \nosquery> select * from users where uid <= 1000 limit 5;\n+-----+-------+------------+------------+----------+-------------+-----------+-------------------+------+\n| uid | gid   | uid_signed | gid_signed | username | description | directory | shell             | uuid |\n+-----+-------+------------+------------+----------+-------------+-----------+-------------------+------+\n| 0   | 0     | 0          | 0          | root     | root        | \/root     | \/bin\/bash         |      |\n| 1   | 1     | 1          | 1          | daemon   | daemon      | \/usr\/sbin | \/usr\/sbin\/nologin |      |\n| 2   | 2     | 2          | 2          | bin      | bin         | \/bin      | \/usr\/sbin\/nologin |      |\n| 3   | 3     | 3          | 3          | sys      | sys         | \/dev      | \/usr\/sbin\/nologin |      |\n| 4   | 65534 | 4          | 65534      | sync     | sync        | \/bin      | \/bin\/sync         |      |\n+-----+-------+------------+------------+----------+-------------+-----------+-------------------+------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    To check logged in users;<\/p>\n\n\n\n
    \nosquery> select * from logged_in_users where type = 'user';\n +------+------+-------+----------------+------------+------+\n | type | user | tty   | host           | time       | pid  |\n +------+------+-------+----------------+------------+------+\n | user | root | tty1  |                | 1565598621 | 729  |\n | user | amos | pts\/0 | 192.168.43.17  | 1565598768 | 851  |\n | user | amos | pts\/1 | 192.168.43.162 | 1565602356 | 7712 |\n +------+------+-------+----------------+------------+------+\n osquery>\n<\/code><\/pre>\n\n\n\n
    Check system uptime;<\/p>\n\n\n\n
    \nosquery> select * from uptime;\n+------+-------+---------+---------+---------------+\n| days | hours | minutes | seconds | total_seconds |\n+------+-------+---------+---------+---------------+\n| 0    | 1     | 10      | 13      | 4213          |\n+------+-------+---------+---------+---------------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    The view mode can be changed by running the command, .mode MODE<\/code> where MODE can be line, csv, pretty (default), column, list. For exampl to set the view to line mode;<\/p>\n\n\n\n
    osquery> .mode line<\/code><\/pre>\n\n\n\n
    \nosquery> select * from load_average;\n period = 1m\naverage = 0.080000\n\n period = 5m\naverage = 0.070000\n\n period = 15m\naverage = 0.120000\nosquery>\n<\/code><\/pre>\n\n\n\n
    List install packages and display only top 3.<\/p>\n\n\n\n
    \nosquery> select * from deb_packages top limit 3;\n    name = adduser\n version = 3.118\n  source = \n    size = 849\n    arch = all\nrevision = \n\n    name = adwaita-icon-theme\n version = 3.30.1-1\n  source = \n    size = 26804\n    arch = all\nrevision = 1\n\n    name = anacron\n version = 2.3-28\n  source = \n    size = 99\n    arch = amd64\nrevision = 28\nosquery>\n<\/code><\/pre>\n\n\n\n
    List system processes;<\/p>\n\n\n\n
    \nosquery> select pid,name,state,parent from processes order by start_time desc limit 10;\n+------+-----------------------------+-------+--------+\n| pid  | name                        | state | parent |\n+------+-----------------------------+-------+--------+\n| 8405 | kworker\/0:0-ata_sff         | I     | 2      |\n| 8332 | osqueryi                    | R     | 874    |\n| 8329 | kworker\/0:1-ata_sff         | I     | 2      |\n| 8280 | kworker\/u2:0-events_unbound | I     | 2      |\n| 7726 | bash                        | S     | 7725   |\n| 7725 | su                          | S     | 7722   |\n| 7721 | sshd                        | S     | 7712   |\n| 7722 | bash                        | S     | 7721   |\n| 7712 | sshd                        | S     | 456    |\n| 7599 | kworker\/u2:1-events_unbound | I     | 2      |\n+------+-----------------------------+-------+--------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    Get system information.<\/p>\n\n\n\n
    \nosquery> select hostname,cpu_physical_cores,physical_memory from system_info;\n+----------------------+--------------------+-----------------+\n| hostname             | cpu_physical_cores | physical_memory |\n+----------------------+--------------------+-----------------+\n| debian10.example.com | 1                  | 1035452416      |\n+----------------------+--------------------+-----------------+\nosquery>\n<\/code><\/pre>\n\n\n\n
    Using Osquery Daemon<\/h3>\n\n\n\n
    Just instead of having to run osquery in an interactive mode using the osqueryi<\/strong>, you can configure Osquery to read the queries from the configuration file and save the results on a log file.<\/p>\n\n\n\n
    osqueryd<\/code> makes it easy to schedule<\/strong> queries and record OS state changes. The daemon aggregates query results over time and generates logs, which indicate state change according to each query.<\/p>\n\n\n\n
    Osquery doesn’t installs a configuration file by default. Hence, copy the sample configuration to \/etc\/osquery<\/strong> directory.<\/p>\n\n\n\n
    cp \/opt\/osquery\/share\/osquery\/osquery.example.conf \/etc\/osquery\/osquery.conf<\/code><\/pre>\n\n\n\n
    Our final osquery configuration file looks like;<\/p>\n\n\n\n
    cat \/etc\/osquery\/osquery.conf<\/code><\/pre>\n\n\n\n
    \n{\n  \/\/ Configure the daemon below:\n  \"options\": {\n\n    \/\/ The log directory stores info, warning, and errors.\n    \/\/ If the daemon uses the 'filesystem' logging retriever then the log_dir\n    \/\/ will also contain the query results.\n    \/\/ \"logger_path\": \"\/var\/log\/osquery\",\n\n    \/\/ Set 'disable_logging' to true to prevent writing any info, warning, error\n    \/\/ logs. If a logging plugin is selected it will still write query results.\n    \/\/\"disable_logging\": \"false\",\n\n    \/\/ Splay the scheduled interval for queries.\n    \/\/ This is very helpful to prevent system performance impact when scheduling\n    \/\/ large numbers of queries that run a smaller or similar intervals.\n    \/\/\"schedule_splay_percent\": \"10\",\n  },\n\n  \/\/ Define a schedule of queries:\n  \"schedule\": {\n    \/\/ This is a simple example query that outputs basic system information.\n    \"system_info\": {\n      \/\/ The exact query to run.\n      \"query\": \"SELECT hostname, cpu_brand, physical_memory FROM system_info;\",\n      \/\/ The interval in seconds to run this query, not an exact interval.\n      \"interval\": 3600\n    }\n  },\n\n  \/\/ Decorators are normal queries that append data to every query.\n  \"decorators\": {\n    \"load\": [\n      \"SELECT uuid AS host_uuid FROM system_info;\",\n      \"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;\"\n    ]\n  },\n\n  \/\/ Add default osquery packs or install your own.\n  \/\/\n  \/\/ There are several 'default' packs installed via\n  \/\/ packages and\/or Homebrew.\n  \/\/\n  \/\/ Linux:        \/opt\/osquery\/share\/osquery\/packs\n  \/\/ OS X:         \/var\/osquery\/packs\n  \/\/ Homebrew:     \/usr\/local\/share\/osquery\/packs\n  \/\/ make install: {PREFIX}\/share\/osquery\/packs\n  \/\/\n  \"packs\": {\n    \/\/ \"osquery-monitoring\": \"\/opt\/osquery\/share\/osquery\/packs\/osquery-monitoring.conf\",\n    \/\/ \"incident-response\": \"\/opt\/osquery\/share\/osquery\/packs\/incident-response.conf\",\n    \/\/ \"it-compliance\": \"\/opt\/osquery\/share\/osquery\/packs\/it-compliance.conf\",\n    \/\/ \"osx-attacks\": \"\/var\/osquery\/packs\/osx-attacks.conf\",\n    \/\/ \"vuln-management\": \"\/opt\/osquery\/share\/osquery\/packs\/vuln-management.conf\",\n    \/\/ \"hardware-monitoring\": \"\/opt\/osquery\/share\/osquery\/packs\/hardware-monitoring.conf\",\n    \/\/ \"ossec-rootkit\": \"\/opt\/osquery\/share\/osquery\/packs\/ossec-rootkit.conf\",\n    \/\/ \"windows-hardening\": \"C:\\\\Program Files\\\\osquery\\\\packs\\\\windows-hardening.conf\",\n    \/\/ \"windows-attacks\": \"C:\\\\Program Files\\\\osquery\\\\packs\\\\windows-attacks.conf\"\n  },\n\n  \/\/ Provides feature vectors for osquery to leverage in simple statistical \n  \/\/ analysis of results data. \n  \/\/\n  \/\/ Currently this configuration is only used by Windows in the Powershell\n  \/\/ Events table, wherein character_frequencies is a list of doubles \n  \/\/ representing the aggregate occurrence of character values in Powershell \n  \/\/ Scripts. A default configuration is provided which was adapated from \n  \/\/ Lee Holmes cobbr project: \n  \/\/ https:\/\/gist.github.com\/cobbr\/acbe5cc7a186726d4e309070187beee6\n  \/\/ \n  \"feature_vectors\": {\n    \"character_frequencies\": [\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.00045,  0.01798,\n      0.0,      0.03111,  0.00063,  0.00027,   0.0,      0.01336,  0.0133,\n      0.00128,  0.0027,   0.00655,  0.01932,   0.01917,  0.00432,  0.0045,\n      0.00316,  0.00245,  0.00133,  0.001029,  0.00114,  0.000869, 0.00067,\n      0.000759, 0.00061,  0.00483,  0.0023,    0.00185,  0.01342,  0.00196,\n      0.00035,  0.00092,  0.027875, 0.007465,  0.016265, 0.013995, 0.0490895,\n      0.00848,  0.00771,  0.00737,  0.025615,  0.001725, 0.002265, 0.017875,\n      0.016005, 0.02533,  0.025295, 0.014375,  0.00109,  0.02732,  0.02658,\n      0.037355, 0.011575, 0.00451,  0.005865,  0.003255, 0.005965, 0.00077,\n      0.00621,  0.00222,  0.0062,   0.0,       0.00538,  0.00122,  0.027875,\n      0.007465, 0.016265, 0.013995, 0.0490895, 0.00848,  0.00771,  0.00737,\n      0.025615, 0.001725, 0.002265, 0.017875,  0.016005, 0.02533,  0.025295,\n      0.014375, 0.00109,  0.02732,  0.02658,   0.037355, 0.011575, 0.00451,\n      0.005865, 0.003255, 0.005965, 0.00077,   0.00771,  0.002379, 0.00766,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,\n      0.0,      0.0,      0.0\n    ]\n  }    \n}\n<\/code><\/pre>\n\n\n\n
    Save the configuration file and run the command below to validate it.<\/p>\n\n\n\n
    osqueryctl config-check<\/code><\/pre>\n\n\n\n
    Running osqueryd<\/h4>\n\n\n\n
    systemctl enable --now osqueryd.service<\/code><\/pre>\n\n\n\n
    The query logs are not populated to \/var\/log\/osquery\/osqueryd.results.log<\/strong> and you can view them in real time using the tail command,<\/p>\n\n\n\n
    tail -f \/var\/log\/osquery\/osqueryd.results.log<\/code><\/pre>\n\n\n\n
    That is just about it on our on installing osquery on Debian 10 Buster.<\/p>\n\n\n\n
    You can read more about osquery here<\/a>.<\/p>\n\n\n\n
    Related Tutorials;<\/h3>\n\n\n\n
    How to Install Osquery on Ubuntu 18.04<\/a><\/p>\n\n\n\n
    Install Kolide Fleet Osquery Fleet Manager on Debian 10<\/a><\/p>\n\n\n\n
    Install and Setup Kolide Fleet on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    In this guide, we are going to learn how to install osquery on Debian 10 Buster. Osquery is an opensource tool that queries an operating<\/p>\n","protected":false},"author":1,"featured_media":10042,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,1065],"tags":[1039,1066,1069,1068,1067],"class_list":["post-3976","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-osquery","tag-debian-10-buster","tag-osquery","tag-osqueryctl","tag-osqueryd","tag-osqueryi","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3976"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3976"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3976\/revisions"}],"predecessor-version":[{"id":21179,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3976\/revisions\/21179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10042"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}