OSQuery Report - JadenGil/Jaden-Tech-Journal GitHub Wiki
Jaden Gilmond Anthony Apostol Morgan Connors
What is OSQuery?
OSQuery is an open-source application that is designed for querying, managing, and monitoring a computer operating system by treating them as if they were relational databases. OSQuery creates a unified interface that accesses low-level sys information like hardware info, system configs, currently logged-in users, network connections, and more. This essentially allows users to query the state of their infrastructure with SQL-like syntax.
How OSQuery Works:
OSQuery uses what is called “agent-based architecture”. Agents are installed on the systems you choose to monitor. Those agents then run in the background, collecting data from various sources on the OS.
OSQuery will execute predefined queries at regular intervals. The point of these queries is to gather info from other systems and return the results in a structured format. The users can define custom queries to extract specific information specific to their needs.
The agents collect data by reading directly from the system files, APIs, and other relevant sources. This data gets formatted into tables where each represents a specific system aspect. Stuff like processes, users, and installed software.
OSQuery uses a SQL-like interface for querying the collected data. The users can take advantage of the (hopefully) familiar SQL syntax to gather info from the tables generated by the agents making it easy for those that are already familiar with SQL.
OSQuery allows for real-time monitoring, allowing users to set specific events or monitor specific conditions on their systems. Example: A user can set up alerts to be notified when a new process comes up or when specific files are modified.
OSQuery is flexible with its configuration, allowing users to customize the behavior of the agents and define which data to collect and monitor. Because of this flexibility, OSQuery can adapt to various use cases and environments.
Although the agents typically operate independently on individual systems, centralized management solutions exist to coordinate and manage multiple OSQuery deployments across an organization.
OSQuery Use Cases:
OSQuery is very often used for security monitoring and incident response purposes, allowing security teams to leverage OSQuery to detect suspect activity, monitor for signs of compromise, and investigate security incidents by querying system-level data.
Organizations often use OSQuery to perform compliance audits by querying system configs and making sure they stick to regulatory standards and internal policies.
OSQuery is very helpful in maintaining an inventory of hardware and software across an organization’s IT infrastructure. By querying system info, IT admins can track installed software, hardware specs, and other relevant information.
OSQuery is also useful in troubleshooting system issues and analyzing system performance. This allows admins to query system metrics and logs to identify bottlenecks, diagnose issues, and optimize performance.
MAKE SURE TO TAKE A SCREENSHOT OF THE VM BEFORE DOING THIS SO YOU CAN GO BACK IN CASE THINGS GO WRONG How to install:
Web01:
Update first.
sudo yum update
To install you run sudo rpm -ivh https://pkg.osquery.io/rpm/osquery-5.11.0-1.linux.x86_64.rpm
Then start OSQuery with sudo systemctl start osqueryd
Make sure to enable OSQuery on boot with sudo systemctl enable osqueryd
Verify the status with sudo systemctl status osqueryd
Once OSQuery is installed and running, you can test it by running a simple query. For example, you can query the list of installed packages:
sudo osqueryi
This command will open the OSQuery interactive shell. You can then execute SQL-like queries. To query installed packages, you can use:
SELECT * FROM rpm_packages;
WKS1:
Download the OSQuery Installer: Visit the official OSQuery GitHub releases page: OSQuery Releases Select the Windows Installer: Choose the appropriate installer for your Windows architecture (32-bit or 64-bit). Download the installer executable file (usually with a .msi extension). Run the Installer: Once the installer file is downloaded, double-click on it to run the installer. Follow the Installation Wizard: The installation wizard will guide you through the installation process. Follow the prompts, and you can typically accept the default settings unless you have specific preferences. Install Location: Choose the installation location for OSQuery on your Windows system. The default location is usually C:\Program Files\osquery. Complete Installation: After configuring the installation settings, proceed with the installation process. The installer will copy the necessary files and set up OSQuery on your Windows machine. Verify Installation: Once the installation is complete, you can verify that OSQuery is installed by opening a command prompt: Press Win + R, type cmd, and press Enter. In the command prompt, type the following command to verify the installation: osqueryi --version This command should display the installed OSQuery version if the installation was successful. Run OSQuery: You can start using OSQuery by running the osqueryi command in the command prompt: osqueryi This will open the OSQuery interactive shell, where you can execute SQL-like queries to gather system information.
Wazuh integration:
Install Wazuh Manager: If you haven't already, you need to set up a Wazuh manager. Follow the instructions provided by the Wazuh documentation to install and configure the Wazuh manager on your CentOS machine. Install OSQuery on CentOS: You should already have OSQuery installed on your CentOS machine as per the earlier instructions provided. Install OSQuery Integration Module: Wazuh provides an integration module that allows it to collect data from OSQuery. You need to install this integration module on your Wazuh manager. Follow these steps:
Download the OSQuery integration module from the Wazuh GitHub repository:
curl -so /var/ossec/wazuh/osqueryd/osquery_manager.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.2/resources/open-distro/osquery_manager.sh
Set execute permissions for the downloaded script:
chmod +x /var/ossec/wazuh/osqueryd/osquery_manager.sh
Configure OSQuery Integration: Modify the Wazuh configuration file (/var/ossec/etc/ossec.conf) to include the OSQuery integration module. Add the following XML configuration within the <ossec_config> tags:
<ossec_config> no <run_daemon>yes</run_daemon> <bin_path>/usr/bin</bin_path> <log_path>/var/log/osquery/osqueryd.results.log</log_path> <config_path>/etc/osquery/osquery.conf</config_path> <add_labels>no</add_labels> </ossec_config> This configuration instructs Wazuh to execute the specified query (SELECT * FROM osquery_info;) at regular intervals to gather information from OSQuery.
sudo systemctl restart wazuh-manager
Once the Wazuh manager is restarted, it will start collecting data from OSQuery according to the configured schedule. You can verify the integration by checking the Wazuh manager logs and reviewing the collected data in the Wazuh app or Kibana interface.
These are the links to all of the Parts of the tech demo