Project1: Osquery - FlameSpyro/Tech-Journal GitHub Wiki
- To begin, this assignment goes off of a previous lab where we had set up Wazuh and added an agent on a CentOS 7 machine.
- To install Osquery, enter the following on web01 or desired agent(Rocky)
- Make sure to NOT START or ENABLE the Osquery service during installation or throughout this process. The Osqueryd service will be linked to Wazuh, and will eventually be started by the agent itself, and enabling or starting it prematurely can cause a PiD error. If this happens, a fix can be found here.
curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
yum install yum-utils
yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
yum-config-manager --enable osquery-s3-rpm-repo
yum install osquery
- From there, move to the
/etc/osqueryto create aosquery.conffile with the following settings.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 60
},
"processes_binding_to_ports": {
"query": "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
"interval": 60
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
}
}
}
- Navigate to
/var/ossec/etc/ossec.conf, and find the Osquery Integration section. Modify the<disabled>yes</disabled>to say<disabled>no</disabled>and save the file. This basically enables the integration of Osquery for the agent running on the system. - It is possible to do this on a macro level through the Wazuh GUI with groups, but that wasn’t necessary for this lab.
<ossec_config>
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
</wodle>
</ossec_config>
- On Wazuh, move to the module settings (Dropdown > Settings > Modules) and enable the Osquery setting to enable the module that will filter and report from agents running it.
- Moving to said module should already have events and flags popping up. If not, then either move to troubleshoot or double check the interval in case it's set to an hour or longer.
*During our attempt at this lab, we ran into a big issue regarding the connectivity between the agent running Osquery and its output on Wazuh.
- It’s worth noting that the installation and setup guide found on Wazuh’s documentation website is somewhat faulty, and shouldn’t be used for installation. *This is caused by the Osqueryd service starting up on the agent. For proper connectivity it should be started up on Wazuh instead, this can be fixed by doing the following *On the Wazuh agent:
systemctl stop Osqueryd.service
systemctl disable Osqueryd.service
rm /etc/systemd/system/osquery
rm /usr/lib/systemd/system/Osqueryd.service
systemctl daemon-reload
systemctl reset-failed