Osquery is an OpenSource agent that provides a unique and refreshing approach to security by providing all the OS-related information that we need. The information includes things like active user accounts, running processes, kernel modules loaded, and active network connections. It can be used for multiple use cases like operational issues and to troubleshoot system performances. Osquery is an all-time favorite tool when you are hardening your systems or finding malicious activities on your system. It is available for most cross-platform Operating systems like Linux, Windows, OS X, and FreeBSD.

Following this article, we are going to make you learn about the installation steps on a LinuxMint OS while the same steps can be performed on Ubuntu systems as well.

Prerequisites:

The basic requirement in this article to install and use Osquery is to have your system up and running with LinuxMint or Ubuntu OS. Make sure that you have the sudo privileges to perform the installation of packages required for this setup..

Step 1: System Update

Let’s start by updating your system with the latest updates and security patches, which can be done by using the command below.

Once the system is updated, give it a reboot to make sure that all the dependencies are fully patched and intact to move forward.

Step 2: Downloading and Installing Osquery

Osquery packages are available for most cross-platform operating systems. You can download the required package depending on which OS you are using from its official web link https://osquery.io/downloads/

Osquery

We are going to install it by using its Apt repository, as osquery is published to an apt repository whereas DEBs have extremely few dependencies and should work on most operating systems.

Let’s run the commands below to get it to install on your system without any hassle.

Next run the below command to add its ‘apt-key’.

After adding the repository update your system again and start its installation by the use of commands as below.

Downloading and Installing Osquery

Step 3: Osquery components and Usage

As we have successfully installed osquery, now we have access to its three useful components, which are osqueryi, osqueryd and osqueryctl. Osqueryi is an interactive query shell that is completely standalone and does not communicate with a daemon. It does not need to run as an administrator. It uses the shell to prototype queries and to explore the current state of your operating system.

Run the command below to find all command-line options and flags available to the interactive shell.

Osquery help

You will see a long list of its command-line flags as shown in the image.

The second component is Osqueryd, to get the list of its command-line arguments, run the command as below.

Osquery components

osqueryd is the host monitoring daemon that records OS state changes and allows you to schedule queries. The daemon aggregates query results over time and generates logs, which indicate state change according to each query.

The third component of osquery is osqueryctl which is used instead by the operating system’s service manager to start/stop/restart osqueryd. It is a helper script which is used for testing deployment or to configure osquery.

Run the commands below to start and check its status.

Osqueryctl

Let’s run some of its basic commands to get the query results in its command-line interactive shell.

Basic commands

Listening ports

From memory info

Step 4: Configuring Osquery

Osquery uses SQL formation within the operating systems to monitor and analyze the frameworks where you can run commands in SQL formats like the select command.

There’s a sample configuration file that you may copy over to /etc/osquery and modify as by default osquery doesn’t come with a configuration file.

The configuration file uses the JSON format and you can write as many queries you want.

Let’s follow the Palantir’s working model which is the most suitable option to make it run. It has a solid Linux Server configuration that includes both osquery.flags and osquery.conf file. The reference link is given below.

https://github.com/palantir/osquery-configuration/tree/master/Classic/Servers/Linux

Place these files in ‘/etc/osquery/’ and restart osqueryd and you will start getting logs and a number of other useful monitoring queries.

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

Conclusion:

In this detailed article, we learned the installation and configuration of osquery . Osquery is one of the best utilities developed by Facebook to monitor and analyze the security and activities of your system. There are several forms of eventing in osquery along with file modifications and accesses. These range from disk mounts, network reconfigurations, hardware attach and detaching, and process starting. Hopefully, you enjoyed this article and are interested to learn more about osquery.

Back to blog