Project 1 ‐OSQuery ‐ Ainsley Smith & Riley Bashaw - AinsleyPlayer/SEC-350 GitHub Wiki
Your security engineering technical lead has asked you to investigate a potential security tool called OSQuery. They have asked that you be prepared to demonstrate the application itself and its integration into the corporate EDR platform (wazuh). You are expected to demo your results to the full security engineering team in one week.
Your team's task (pick another student from the section or go it alone).
- Conduct some high level research on OSQuery so that you can explain what it does to your team at a high level
- Figure out how to Install OSQuery on either web01 (rocky) or wks01 (windows 10)
- Investigate and demonstrate some of the features of the OSQuery client application
- Figure out how to integrate OSQuery with Wazuh
- Develop an end to end demonstration that shows the triggering of an event that is picked up by OSQuery and how that event eventually makes it to Wazuh.
- Lastly, conclude by discussing any pros and cons of this tool and integration.
- This is a One Week Project
Deliverable 1.
A demonstration video that touches base on all your team tasks. Provide a link to a highly professional video that the professor has access to. Under no circumstances should, upload a video directly to CANVAS unless using CANVAS studio. If operating in a team, make sure both team members have a voice.
Deliverable 2. Provide a link to an exceptionally well-prepared build document (this can be a Google Doc shared between team members or a GitHub wiki entry) that covers the specific installation and configuration tasks associated with this project.
What is OSQuery?
OSQuery is an open-source tool that changes an operating system into a relational database that is high-performing. This tool allows users to write SQL-like queries to monitor and explore system data such as network connections and hardware events. OSQuery also generates tables that can showcase system information, such as users or hardware that is currently connected to the device.
What does it do:
OSQuery is meant to query your devices like a database. In this sense, it allows you to use SQL-like queries that provide detailed information on your devices. It allows you to monitor and analyze system data, logs, and networking info, as well as structure this information in a digestible manner. Some main uses for this tool are for system auditing, security monitoring, compliance reporting, and incident response.
Features:
SQL-Based Queries: Fetch system information that uses SQL syntax. Real-Time Monitoring: Schedules queries for continuous monitoring and visibility into the system’s activities. Cross-Platform Support: Able to be used on macOS, Linux, Windows, and FreeBSD Extensibility: Integrates well with other tools and supports custom plugins.
Configuration
Step 1:
Download via this link and install.
https://pkg.osquery.io/windows/osquery-4.8.0.msi
Step 2:
Then, configure the config file.
nano /etc/osquery/osquery.conf
{ "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "utc": "true" },
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
}
},
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/usr/share/osquery/packs/incident-response.conf",
"it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
"vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
"ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf"
}
}
Step 3:
Then, turn on the system.
Step 4:
Configure the default Wazuh config file at the bottom.
Issues and Troubleshooting:
We ran into severe and an unlimited number of issues during the project. There was no issue downloading Osquery or understanding how to change the files in regards to that, but Wazuh became completely broken beyond all repair.
We had tried combing through our firewalls, any and all configuration files, and spent hours doing and redoing commands in the hope that it would work.
Things that we tried(but not limited to)
- Deleting OSquery and redownloading and configuring it several times
- Changing and combing through all net rules
- Changing and combing through all LAN rules
- Changing and combing through all WAN rules
- Changing and combing through all DMZ rules
- Changing and combing through all MGMT rules
- Updating Wazuh servers
- Updating the entirety of the system
- Look through error logs
- Changing API rules and configurations within Wazuh and on the dashboard (wazuh-agent didn't work on Ainsley's box whatsoever, but the dashboard was accessible)
- Going back to previous snapshots to see if it was a different configuration issue
- Changing RIP rules
- Checking every network configuration
- Checking every eth connection
- Checking the hardware of the boxes
- Reconfiguring ports
- Removing and reinstating IP addresses
- Etc
Pros:
Easy installation and implementation. Modular Code Base. Very simple query processing. Customizable w/ real-time event recording. Can provide endpoint data previously inaccessible.
Cons:
OSQuery is not very beginner-friendly for people who are just learning about SQL, as some of the information the tool gives are very complex. The configuration of this tool must be done carefully as to avoid performance issues High-cost data storage. Incremental data can be hard to translate. Does not support centralized deployment. Requires an extended infrastructure lift. Queries and query packs being optimized is crucial. 3rd party data and assistance are required in order to have threat protection.
Links: https://www.crowdstrike.com/en-us/cybersecurity-101/it-automation/osquery/
https://www.loginsoft.com/post/explicating-the-concepts-of-osquery
https://www.uptycs.com/osquery-how-it-works-and-how-to-use https://best-of-web.builder.io/library/osquery/osquery