SEC‐350 Project 1 OSQuery - ConnorEast/Tech-Journal GitHub Wiki

Project 1: OS Query Guide & Notes

Goals:

  • Explain OSQuery from a high level
  • Install OSQuery [Linux &OR Windows]
  • Intergrate OSQuery and Wazuh
  • Demonstrate live intergration between Wazuh and OSQuery
  • Pros & Cons of Tool Intergration

Installing OSQuery on Web01

System Command Purpose / image
[FW01](configure) delete firewall name DMZ-to-WAN rule 999 disable
[WEB01](cli) yum install yum-utils
[WEB01](cli) curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
[WEB01](cli) sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
[WEB01](cli) sudo yum-config-manager --enable osquery-s3-rpm-repo
[WEB01](cli) sudo yum install osquery
[FW01](configure) set firewall name DMZ-to-WAN rule 999 disable
[WEB01](cli) sudo cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery.conf
[WEB01](cli) sudo systemctl start osqueryd
[WEB01](cli) sudo systemctl status osqueryd

Accessing OSQuery interface & command testing

System Command Purpose / image
[Web01](osquery>) osqueryi --verbose
[Web01](osquery>) Select Distinct
[Web01](osquery>) Select * From Uptime
[Web01](osquery>) select count(*) from users;
[Web01](osquery>)
  • select p.pid,
  • p.name,
  • u.username
  • from processess p
  • from users u
  • on u.uid=p.uid
  • limit 15
[Web01](osquery>)
  • select
  • u.username,
  • p.pid,
  • p.name,
  • pos.local_address,
  • pos.local_port,
  • pos.remote_address,
  • pos.remote_port
  • from processes p
  • join users u on u.uid=p.uid
  • join process_open_sockets pos on pos.pid=p.pid
  • where pos.remote_port !='0'
  • limit 5

Connecting OSquery to Wazuh

Device Command Purpose / Image
[Web01](CLI) systemctl enable osqueryd
[Wazuh](WT)
  • Step 1:Go to "Wazuh>Groups>Linux>files"
  • Step 2: Select to edit agent.conf
Add the following contents to the agent.conf file
[Web01](CLI) vi /etc/osquery/osquery.conf

Sources:

⚠️ **GitHub.com Fallback** ⚠️