Otu esi eji Osquery nyochaa nchekwa Linux Server

Osquery bụ ebe mepere emepe n'efu, dị ike na nke obe SQL nke sitere na sistemụ arụmọrụ, nleba anya na usoro nyocha maka sistemụ Linux, FreeBSD, Windows na Mac/OS X, nke Facebook wuru. Ọ bụ ihe nchọgharị sistemụ arụmọrụ dị mfe ma dịkwa mfe iji.

Ọ na-ejikọta ọtụtụ ngwaọrụ nke na-eme nyocha na nlekota OS dị ala; Ngwaọrụ ndị a na-ekpughe sistemụ arụmọrụ dị ka nchekwa data mmekọrịta dị elu dị ka MySQL/MariaDB, PostgreSQL na ndị ọzọ, ebe a na-egosipụta echiche OS n'ụdị tabular, si otú a na-enye ndị ọrụ ohere iji iwu SQL rụọ ọrụ nlekota na nyocha usoro.

Osquery na-eji ngwa mgbakwunye dị mfe na API mgbakwunye iji mejuputa tebụl SQL, enwere nchịkọta tebụl dị adị nke dị njikere maka ojiji, a na-edekwa ihe ndị ọzọ. Enwere ike ịhụ ụfọdụ tebụl naanị na sistemụ arụmọrụ akọwapụtara, dịka ọmụmaatụ, naanị ị na-ahụ tebụl kernel_modules na sistemụ Linux.

Na mgbakwunye, ị nwere ike gbaa ajụjụ iji nyochaa na nyochaa steeti OS na otu onye ọbịa site na shei osqueryi, ma ọ bụ na ọtụtụ ndị ọbịa na netwọk site na onye nhazi oge ma ọ bụ mebie ha site na ngwa ọdịnala gị ọ bụla site na iji osquery Thrift API.

Otu esi etinye Osquery na Linux

Enwere ike itinye Osquery site na ebe nchekwa gọọmentị site na iji ngwa njikwa ngwugwu dnf na nkesa Linux gị dị ka egosiri.

$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
$ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
$ sudo apt update
$ sudo apt install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm-repo
$ sudo yum install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo dnf config-manager --set-enabled osquery-s3-rpm
$ sudo dnf install osquery

Otu esi eleba anya na nyochaa Linux Iji Osquery

Ozugbo i tinyechara Osquery nke ọma na sistemụ gị, malite shea osquery ka ịmalite ịjụ ọnọdụ OS gị dịka egosiri.

$ osqueryi

Using a virtual database. Need help, type '.help'
osquery> 

Iji nweta ozi sistemụ Linux achịkọtara, mee iwu a.

osquery> SELECT  * FROM system_info;

Iji nweta ndepụta ahaziri nke ọma nke ndị ọrụ niile na sistemụ Linux, gbaa ajụjụ a.

osquery> SELECT * FROM users;

Iji nweta ndepụta nke modul kernel Linux na ọkwa ha, gbaa ajụjụ a.

osquery> SELECT * FROM kernel_modules;

Iji nweta ndepụta ngwugwu RPM niile arụnyere na CentOS, RHEL na Fedora, gbaa ajụjụ a.

osquery> .all rpm_packages;

Iji nweta ihe ọmụma gbasara usoro Linux na-agba ọsọ, gbaa ajụjụ a.

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';

Ọ bụrụ na ị na-agba osquery na desktọpụ wee tinye Firefox ma ọ bụ Chrome, ị nwere ike depụta ihe mgbakwunye gị niile site na iji ajụjụ a.

osquery> .all firefox_addons;
osquery> .all  chrome_extensions;

Ka igosi ndepụta nke tebụl niile etinyere na Linux, jiri iwu .tables dị ka egosiri.

osquery> .tables;	#list all implemented tables
osquery> .help; 	#view help message

Osquery na-enyekwa nleba anya nguzozi faịlụ (FIM), yana atụmatụ nhazi na sọket na ihe ndị ọzọ, yabụ na ọ bụ ngwaọrụ nchọpụta intrusion, mana nke a na-akpọ maka nhazi ụfọdụ tupu ị nwee ike ibuga ya maka ebumnuche dị otú ahụ. Ị nwere ike ịchọta ozi ndị ọzọ site na ebe nchekwa Osquery Github.