Project 1 OSQuery - max-gallagher/SEC-350 GitHub Wiki

OSQuery & Wazuh Integration

Prerequisite Installs

  1. Make sure that you are downloading OSQuery on a device that is a Wazuh Agent as shown here

  2. In this specific case I had to run both the sudo yum update and sudo yum install yum-utils commands

    -The yum update command was needed for me to be able to install yum-utils and the sudo yum install yum-utils was needed in order for me to run the yum-config-manager commands found later in the process.

Installing OSQuery (I chose to use web01 so this for a rocky linux system)

  1. Open web01 (rocky system)

  2. run these commands found on OSQuery Website

curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery

sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo

sudo yum-config-manager --enable osquery-s3-rpm-repo

sudo yum install osquery

Configuring OSQuery on web01

  1. Enable OSQuery on your Wazuh Agent by going to the /var/ossec/etc/ directory and editing the ossec.conf file

-The section that you will want to edit is titled "Osquery integration" and the changes you want to make are that you want to set disabled to no and set add_labels to no as shown below

  1. On your agent system (web01) create the file osquery.conf under the /etc/osquery/ directory

    -This is where your OSQuery configs will be stored

  2. I decided to use the example config supplied on the Wazuh Documentation Page which is shown below.

Config OSQuery on Wazuh

  1. On Wazuh web GUI Open the drop-down menu and go to settings and from there go to Modules

  2. Scroll down until you find "Threat Detection and Response" and enable OSQuery

Checking OSQuery through Wazuh

  1. On Wazih web GUI once again open the drop-down menu and this time go to "Modules", you should now see OSQuery as an option and select it

  2. This brought us to our OSQuery Dashboard which contains some basic information

  3. Select Events next to the dashboard to see the events that are occurring on your wazuh agents.

Demonstration Video

https://drive.google.com/file/d/1wi9reAaZd_PQTijntFyq9AVsN1XLU3P9/view