Osquery packs12/23/2023 ![]() The interactive query console, osqueryi, gives you a SQL interface to try out new queries and explore your operating system. osqueryd‘s logging can integrate into your internal log aggregation pipeline, regardless of your technology stack, via a robust plugin architecture. You can use this to maintain insight into the security, performance, configuration, and state of your entire infrastructure. The daemon takes care of aggregating the query results over time and generates logs which indicate state changes in your infrastructure. ![]() The high-performance and low-footprint distributed host monitoring daemon, osqueryd, allows you to schedule queries to be executed across your entire infrastructure. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. This allows you to write SQL queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. The tools make low-level operating system analytics and monitoring both performant and intuitive. ![]() ![]() Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. Ug USING (uid) JOIN groups g ON ug.gid = g.This post is about “Osquery integration with Wazuh” What is osquery? osquery> SELECT u.username, g.gid, g.groupname FROM users u JOIN user_groups.select * from hash where path = ‘/bin/bash' - File hashes.select * from keychain_items - Keychain.account_policy_data acpi_tables ad_config alf alf_exceptions alf_explicit_auths alf_services app_schemes apps apt_sourcesĪrp_cache asl augeas authorization_mechanisms authorizations authorized_keys block_devices browser_plugins carbon_black_info carves certificates chrome_extensions cpu_time cpuid crashes crontab cups_destinations cups_jobs curl curl_certificate device_file device_firmware device_hash device_partitions disk_encryption disk_events dns_resolvers docker_container_labels docker_container_mounts docker_container_networks docker_container_ports docker_container_processes docker_container_stats docker_containers docker_image_labels docker_images docker_info docker_network_labels docker_networks docker_version docker_volume_labels docker_volumes etc_hosts etc_protocols etc_services event_taps extended_attributes fan_speed_sensors file file_events firefox_addons gatekeeper gatekeeper_approved_apps groups hardware_events hash homebrew_packages intel_me_info interface_addresses interface_details iokit_devicetree iokit_registry kernel_extensions kernel_info kernel_panics keychain_acls keychain_items known_hosts last launchd launchd_overrides listening_ports load_average logged_in_users magic managed_policies mdfind memory_devices mounts nfs_shares nvram opera_extensions os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule package_bom package_install_history package_receipts pci_devices platform_info plist power_sensors preferences process_envs process_events process_memory_map process_open_files process_open_sockets processes prometheus_metrics python_packages quicklook_cache routes safari_extensions sandboxes shared_folders sharing_preferences shell_history signature sip_config smbios_tables smc_keys startup_items sudoers suid_bin system_controls system_info temperature_sensors time time_machine_backups time_machine_destinations uptime usb_devices user_events user_groups user_interaction_events user_ssh_keys users virtual_memory_info wifi_networks wifi_status wifi_survey xprotect_entries xprotect_meta xprotect_reports yara yara_events osquery> SELECT * FROM.Plists (/Library/Managed\ Installs/*, etc.).Filesystem (Shared folders, file hashes, permissions, etc.).Event-based APIs (FSEvents, OpenBSM, etc.).ApplicaCon APIs (Docker, Carbon Black, etc.).System APIs (Apple System Log, Keychain, SMC, CoreFoundaCon, etc.).SQLite files (/var/db/SystemPolicy, etc.).Performance/reliability to deploy across corporate and producCon infrastructure.Non-developers to access and aggregate data across disparate sources How can we reliably access this data to get an understanding of the system state in the present moment, and as it changes over Cme? The Problem.Sources for the data relevant to their operaCons and decision-making. Sysadmins and security folks have a huge number of.zach / zwass zwass osquery / thezachw.Exploring, understanding and monitoring macOS ac6vity with osquery Zach Wasserman.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |