Project 1: OSQuery - squatchulator/Tech-Journal GitHub Wiki
The aim of this project is to apply research strategies in order to integrate Osquery with the Wazuh SIEM we had configured in previous weeks. Osquery is a tool that exports logs about various system configurations and processes that are highly customizable, allowing engineers/analysts working in a SIEM to gather more information about the target system. This makes it significantly easier to identify and diagnose problems when you can specify the information about the system you want to receive.
Allow traffic through the firewall to allow agent installation
set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3
commit
save
yum install yum-utils -y
curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
yum-config-manager --enable osquery-s3-rpm-repo
yum install osquery -y
delete firewall name DMZ-to-WAN rule 999
commit
save
- Navigate to the conf file after installation with
nano /etc/osquery/osquery.conf - The following is the example .conf file from Osquery. It ships some valuable data and makes it easy to verify Osquery is working properly.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"high_load_average": {
"query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
"interval": 900,
"description": "Report if load charge is over 70 percent."
},
"low_free_memory": {
"query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
"interval": 1800,
"description": "Free RAM is under 10%."
}
},
"packs": {
"osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
"it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
"vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf",
"ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf"
}
}
Now, start osquery
systemctl enable osqueryd
systemctl start osqueryd
- Navigate to Wazuh -> Modules -> Settings, and scroll down until you see Osquery. Enable it.
- Go back into Wazuh and go to groups
- Create new group called osquery
- Add Web01 to it, and then go to Files -> agent.conf and add the following:
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
</wodle>
If logs not ingesting properly and you're getting the Pid error in Wazuh, run the following:
sudo rm /var/osquery/osquery.db/LOCK
sudo osqueryctl restart