Install Osquery on Rocky Linux 8

In this guide, we are going to learn how to install osquery on Rocky Linux 8. Osquery is an opensource tool that queries an operating system as if it were a relational database. It leverage SQL-like queries to gather Operating System information for performance, security, compliance audit analysis. It runs on multiple platforms such as Linux, FreeBSD, MacOS, Windows systems.

Installing Osquery on Rocky Linux 8

Install Osquery YUM Repository

The default Rocky Linux repositories does not contain the osquery package.

However, osquery publishes the stable releases to YUM repository.

To add osquery YUM repository to Rocky Linux 8, run the command below;

curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery

dnf config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo

This installs Osquery yum repository, and you can confirm by running the command below;

dnf repolist | grep osquery

Sample output;

osquery-s3-rpm-repo             name=osquery RPM repository - x86_64

Install Osquery

Once the repository is in place, you can then install Osquery by running the command below.

dnf --enablerepo osquery-s3-rpm-repo install osquery -y

Components of osquery

Osquery package installs three basic components;

• osqueryctl – This is an osquery helper script for testing osquery configuration/deployment as well as managing the osqueryd service.
• osqueryd – is an osquery daemon for scheduling queries and recording the changes in the state of OS.
• osqueryi – is an osquery interactive shell. From the shell, you can run various queries to explore that state of your OS.

In order to learn the usage of the commands above, you can pass the -h/–help option.

osqueryctl -h

Usage: /usr/bin/osqueryctl {clean|config-check|start|stop|status|restart}

For example to start, stop and restart osqueryd using osqueryctl, run the commands;

osqueryctl start osqueryd

osqueryctl stop osqueryd

osqueryctl restart osqueryd

Running Osquery on Rocky Linux 8

Osquery can be run:

• in standalone mode using the osqueryi or
• as service using osqueryd

In this guide, we are going to focus on how to use the osquery interactive shell to query various system activities.

Running osquery in standalone mode

When osqueryi is run without any arguments, it takes you to the interactive shell prompt;

osqueryi

Using a virtual database. Need help, type '.help'
osquery>

You can obtain help by typing .help on the shell prompt. Notice the dot (.).

osquery> .help

Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.connect PATH    Connect to an osquery extension socket
.disconnect      Disconnect from a connected extension socket
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the local osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off

Listing Osquery system Information tables

Osquery converts various OS attributes into tabular like database concepts. Hence, to list tables from which various system information is stored, run the .tables command within the osqueryi prompt.

osqueryi

osquery> .tables

Sample output;

=> acpi_tables
=> apt_sources
=> arp_cache
=> augeas
=> authorized_keys
=> block_devices
=> carbon_black_info
=> carves
=> chrome_extensions
=> cpu_time
…
=> time
=> uptime
=> usb_devices
=> user_events
=> user_groups
=> user_ssh_keys
=> users
=> yara
=> yara_events
=> yum_sources
osquery>

Querying Osquery system tables

For example purposes, let us see what is contained on some of the tables;

select * from os_version;

+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name        | version                                  | major | minor | patch | build | platform | platform_like | codename | arch   |
+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Rocky Linux | Rocky Linux release 8.4 (Green Obsidian) | 8     | 4     | 0     |       | rhel     | rhel          |          | x86_64 |
+-------------+------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+

To query system users whose uid is greater than 1000,

select * from users where uid >=1000;

+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+
| uid   | gid   | uid_signed | gid_signed | username  | description          | directory       | shell         | uuid |
+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+
| 65534 | 65534 | 65534      | 65534      | nobody    | Kernel Overflow User | /               | /sbin/nologin |      |
| 1000  | 1000  | 1000       | 1000       | kifarunix |                      | /home/kifarunix | /bin/bash     |      |
+-------+-------+------------+------------+-----------+----------------------+-----------------+---------------+------+

To list all logged in users;

select user,tty,host,time from logged_in_users where tty not like '~';

+-----------+-------+--------------+------------+
| user      | tty   | host         | time       |
+-----------+-------+--------------+------------+
| kifarunix | tty1  |              | 1628876993 |
| root      | pts/0 | 192.168.60.1 | 1628875575 |
+-----------+-------+--------------+------------+

Check system uptime;

select * from uptime;

+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 0    | 4     | 21      | 49      | 4909          |
+------+-------+---------+---------+---------------+

To show network interfaces and IP addresses;

select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';

+-----------+----------------------------------+-----------------------+
| interface | address                          | mask                  |
+-----------+----------------------------------+-----------------------+
| enp0s3    | 10.0.2.15                        | 255.255.255.0         |
| enp0s8    | 192.168.60.19                    | 255.255.255.0         |
| enp0s3    | fe80::689b:622:1eaf:287a%enp0s3  | ffff:ffff:ffff:ffff:: |
| enp0s8    | fe80::301d:abeb:ad8b:6c56%enp0s8 | ffff:ffff:ffff:ffff:: |
+-----------+----------------------------------+-----------------------+

See the Osquery tables columns on osquery Schemas page.

Osquery command output view modes

The osquery command output view mode can be changed by running the command, .mode MODE from within the osqueryi shell prompt, where MODE can be line, csv, pretty (default), column, list.

For example to set the view to line mode;

osquery> .mode line

The when you run the queries, output is produced line by line;

SELECT * FROM system_info;

          hostname = rocky8.kifarunix-demo.com
              uuid = 85dd4d36-5e88-864a-b6e8-1919f794534a
          cpu_type = x86_64
       cpu_subtype = 142
         cpu_brand = Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
cpu_physical_cores = 1
 cpu_logical_cores = 1
     cpu_microcode = 
   physical_memory = 848629760
   hardware_vendor = innotek GmbH
    hardware_model = VirtualBox
  hardware_version = 1.2
   hardware_serial = 0
      board_vendor = Oracle Corporation
       board_model = VirtualBox
     board_version = 1.2
      board_serial = 0
     computer_name = rocky8.kifarunix-demo.com
    local_hostname = rocky8.kifarunix-demo.com

List installed system packages;

select * from rpm_packages top limit 3;

         name = NetworkManager
      version = 1.30.0
      release = 10.el8_4
       source = NetworkManager-1.30.0-10.el8_4.src.rpm
         size = 7215759
         sha1 = f910dc05b56f78fcec2386ac164fcba0316299fa
         arch = x86_64
        epoch = 1
 install_time = 1628844768
       vendor = Rocky
package_group = System Environment/Base

         name = NetworkManager-libnm
      version = 1.30.0
      release = 10.el8_4
       source = NetworkManager-1.30.0-10.el8_4.src.rpm
         size = 9262984
         sha1 = 25eb93263187481d1475d2dd5b25d8639808e04a
         arch = x86_64
        epoch = 1
 install_time = 1628844766
       vendor = Rocky
package_group = Development/Libraries

         name = NetworkManager-team
      version = 1.30.0
      release = 10.el8_4
       source = NetworkManager-1.30.0-10.el8_4.src.rpm
         size = 49616
         sha1 = f8a8fbd59ba1a1901e27ab2833aa8705902965c6
         arch = x86_64
        epoch = 1
 install_time = 1628844958
       vendor = Rocky
package_group = System Environment/Base

Exit Osquery Interactive shell

To exit osqueri interactive shell, osquery>, use the command .exit or simply press Control+d keyboard combination keys.

osquery> .exit

Running Osquery as a service

osqueryd is an osquery daemon for scheduling queries and recording the changes in the state of OS. You can use this daemon to run Osquery a service.

For this to work, you need to copy the sample Osquery configuration to /etc/osquery directory as follows;

cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

Next, that the service;

systemctl start osqueryd

Checking the status;

systemctl status osqueryd

● osqueryd.service - The osquery Daemon
   Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-08-13 21:03:04 EAT; 5s ago
  Process: 2244 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
  Process: 2241 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
 Main PID: 2245 (osqueryd)
    Tasks: 14 (limit: 4938)
   Memory: 9.5M
   CGroup: /system.slice/osqueryd.service
           ├─2245 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
           └─2248 /usr/bin/osqueryd

Aug 13 21:03:04 rocky8.kifarunix-demo.com systemd[1]: Starting The osquery Daemon...
Aug 13 21:03:04 rocky8.kifarunix-demo.com systemd[1]: Started The osquery Daemon.
Aug 13 21:03:04 rocky8.kifarunix-demo.com osqueryd[2245]: osqueryd started [version=4.9.0]
Aug 13 21:03:07 rocky8.kifarunix-demo.com osqueryd[2245]: I0813 21:03:07.644742  2248 eventfactory.cpp:156] Event

Further Reading

Osquery Documentation

Other Tutorials

Install Redmine on Ubuntu 20.04

Install Redmine on Rocky Linux 8

Install Webmin on Rocky Linux 8

Install and Configure SNMP on Rocky Linux 8