SEC 350 OSQuery Project - DefiantCoder/Tech-Journals GitHub Wiki
What is OSQuery
OSQuery Web01 Installation
OSQuery Linix installation Documentation OSQuery Linux Installation Documentation 2
- Run the Following commands to install osquery onto your web01 box
sudo yum update
sudo yum install yum-utils
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm-repo
sudo yum install osquery
OSQuery Web01Configuration
- Once the Installation is complete we move onto the setup on web01.
- We begin with configuring the
/etc/osquery/osquery.conffile to create a testing script which will be useful for our testing documentation- I edited the script as shown below to better suit it to our testing purposes
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 60
},
"processes_binding_to_ports": {
"query": "SELECT DISTINCT [process.name](http://process.name/), listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
"interval": 60
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
}
},
"packs": {
"osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
"it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
"vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
"ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf"
}
}
- Citing Abijah Buttendorf for processes_binding_to_ports script
OSQuery Wazuh Integration
OSQuery Wazuh Integration Documentation
-
Before starting Integration make sure to enable Osquery in wazuh by naviating to
settings > modules > Threat Detection & Responseand enabling OSQuery -
Navigate to
var/ossec/etc/ossec.confas root and change disabled to no
- After this is complete make sure to restart wazuh
sudo systemctl restart wazuh-agent.service
- At this point we should see events being recorded in
modules > osquery > eventson your Wazuh GUI
OSQuery demonstration
- THe alerts show that the OSQuery is successfully integrated into Wazuh
Pros & Cons
-
Overall the amount of input required is minimal as OSQuery provides good documentation for setup and even some trial configs to test your setup
- OSQuery is already compatible with wazuh with even dedicated settings for integrated use making the experience smooth for a user
-
The biggest con is that documentation goes against what we should do when it comes to using systemctl