OSquery Wiki - devinziegler/Devin-Tech-Journal GitHub Wiki

❔What is osquery?

osquery is a tool that can be used to query a system like a database. There are many benefits as to why something like this would be useful. Osquery advertises these three on their website:

1. Security
2. Compliance
3. DevOps

Find more osquery Documentation here:

• osquery Docs

🔌 osquery Installation

Example deployment is on a rocky system (web01)

• Run the following to add the repository and install osquery:

curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm-repo
sudo yum install osquery

To Start Queries, enter the interactive mode

osqueryi

Now device can be navigated like a database

🛡️ Wazuh Integration

• Once osqyery is installed, a configuration is needed, copy the example config to the running config:

cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

Find the Wazuh Example osqyery configuration here

• osquery.conf

Enable and Start osqyeryd:

systemctl enable osqueryd
systemctl start osqueryd