How to Monitor Linux Server Security with Osquery

Osquery is a free and open-source tool that allows you to fetch operating system information for performance, security, and compliance audit analysis. It can be installed on all major operating systems such as Linux, FreeBSD, macOS, Windows systems, etc. With Osquery, you can fetch all important system information, including running processes, loaded kernel modules, active user accounts, network connections, and more. It is used by the system administrators to troubleshoot performance and operational issues.

In this post, we will show you how to install Osquery on Oracle Linux 8.

Step 1 – Install Osquery on Oracle Linux 8

By default, the Osquery package is not included in the Oracle Linux default repo, so you will need to add the Osquery repo to your system. You can add it with the following command:

curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
dnf config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo

Next, verify the added repo with the following command:

dnf repolist | grep osquery

You will get the following output:

osquery-s3-rpm-repo name=osquery RPM repository - x86_64

Next, install the Osquery package using the following command:

dnf --enablerepo osquery-s3-rpm-repo install osquery -y

You can start the Osquery service using the following command:

osqueryctl start

To stop the Osquery service, run the following command:

osqueryctl stop

Step 2 – Run Osquery in Standalone Mode

You can run Osquery in a standalone mode with the following command:

osqueryi

To get a list of all commands, run the following command:

.help

You will get the following output:

Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.connect PATH    Connect to an osquery extension socket
.disconnect      Disconnect from a connected extension socket
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the local osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off

Step 3 – How to Use Osquery

Osquery uses a table to store all system-related information. You can list all tables with the following command:

.tables

You should see the list of all tables in the following output:

  => acpi_tables
  => apparmor_events
  => apparmor_profiles
  => apt_sources
  => arp_cache
  => atom_packages
  => augeas
  => authorized_keys
  => azure_instance_metadata
  => azure_instance_tags
  => block_devices
  => bpf_process_events
  => bpf_socket_events
  => carbon_black_info
  => carves
  => certificates
  => chrome_extension_content_scripts
  => chrome_extensions
  => cpu_info
  => cpu_time
  => cpuid

To check the operating system version, run the following command:

select * from os_version;

You will get the following output:

+--------------------------+----------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name                     | version                                      | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------------------------+----------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Red Hat Enterprise Linux | Red Hat Enterprise Linux release 8.5 (Ootpa) | 8     | 5     | 0     |       | rhel     | rhel          |          | x86_64 |
+--------------------------+----------------------------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+

To list all users whose UID are greater than 1000, run the following command:

select * from users where uid >=1000;

You will get the following output:

+-------+-------+------------+------------+----------+----------------------+-----------+---------------+------+
| uid   | gid   | uid_signed | gid_signed | username | description          | directory | shell         | uuid |
+-------+-------+------------+------------+----------+----------------------+-----------+---------------+------+
| 65534 | 65534 | 65534      | 65534      | nobody   | Kernel Overflow User | /         | /sbin/nologin |      |
+-------+-------+------------+------------+----------+----------------------+-----------+---------------+------+

To list all active logged-in users, run the following command:

select user,tty,host,time from logged_in_users where tty not like '~';

You will get the following output:

+-------+-------+--------------+------------+
| user  | tty   | host         | time       |
+-------+-------+--------------+------------+
| LOGIN | tty1  |              | 1662011298 |
| root  | pts/0 | 117.99.59.26 | 1662011331 |
+-------+-------+--------------+------------+

To check the system uptime, run the following command:

select * from uptime;

You will get the following output:

+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 0    | 0     | 5       | 57      | 357           |
+------+-------+---------+---------+---------------+

To list all network interfaces, run the following command:

select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';

You will get the following output:

+-----------+-------------------------------+-----------------------+
| interface | address                       | mask                  |
+-----------+-------------------------------+-----------------------+
| eth0      | 208.117.81.163                | 255.255.255.0         |
| eth0      | fe80::200:d0ff:fe75:51a3%eth0 | ffff:ffff:ffff:ffff:: |
| eth1      | fe80::200:aff:fe75:51a3%eth1  | ffff:ffff:ffff:ffff:: |
+-----------+-------------------------------+-----------------------+

To enable the line mode, run the following command:

.mode line

To check the system information and print the output line by line, run the following command:

SELECT * FROM system_info;

You will get the following output:

          hostname = oraclelinux8
              uuid = 537b369a-6701-4b31-bb3d-5a34d663eb1f
          cpu_type = x86_64
       cpu_subtype = 6
         cpu_brand = QEMU Virtual CPU version 2.5+
cpu_physical_cores = 1
 cpu_logical_cores = 1
     cpu_microcode = 0x1
   physical_memory = 1905364992
   hardware_vendor = QEMU
    hardware_model = Standard PC (i440FX + PIIX, 1996)
  hardware_version = pc-i440fx-bionic
   hardware_serial = 
      board_vendor = 
       board_model = 
     board_version = 
      board_serial = 
     computer_name = oraclelinux8
    local_hostname = oraclelinux8

You can exit from the Osquery shell with the following command:

.exit

Step 4 – Run Osquery via Systemd

To run Osquery via systemd, you will need to copy the Osquery configuration file:

cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

Next, stop the Osquery daemon with the following command:

osqueryctl stop

Next, start and enable the Osquery service via systemd with the following command:

systemctl start osqueryd
systemctl enable osqueryd

To check the active status of Osquery, run the following command:

systemctl status osqueryd

You will get the following output:

● osqueryd.service - The osquery Daemon
   Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-09-01 01:57:08 EDT; 12s ago
  Process: 1458 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
  Process: 1456 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
 Main PID: 1459 (osqueryd)
    Tasks: 14 (limit: 11409)
   Memory: 7.9M
   CGroup: /system.slice/osqueryd.service
           ├─1459 /opt/osquery/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
           └─1462 /opt/osquery/bin/osqueryd

Conclusion

In this post, we showed you how to install Osquery on Oracle Linux 8. We also explained how to use Osquery to fetch the system information. You can now use Osquery easily to fetch the system-related information. Try Osquery on dedicated hosting from Atlantic.Net!