如何使用 Osquery 监控 Linux 服务器的安全性

Osquery 是 Facebook 开发的开源安全威胁监控工具。 用于查询系统信息,包括系统版本、内核信息、运行进程、内存信息、监听端口、登录用户等。 Osquery 帮助系统管理员编写 SQL 查询来识别、探测和消除各种类型的威胁。 它支持多种操作系统,包括 Windows、Linux、FreeBSD 和 macOS。

在这篇文章中,我们将解释 Ubuntu 20.04 上安装和使用 Osquery。

先决条件

  • 云平台上的 Ubuntu 20.04 服务器
  • 在我们的服务器上配置的 root 密码

第 1 步 – 创建 云服务器

首先,登录到我们的 云服务器。 创建一个新服务器,选择 Ubuntu 20.04 作为至少 2GB RAM 的操作系统。 通过 SSH 连接到我们的云服务器并使用页面顶部突出显示的凭据登录。

登录到 Ubuntu 20.04 服务器后,运行以下命令以使用最新的可用软件包更新基本系统。

apt-get update -y

第 2 步 – 安装 Osquery

默认情况下,Osquery 包不包含在 Ubuntu 默认存储库中,因此我们需要将 Osquery 存储库添加到我们的系统中。

首先,使用以下命令安装所需的依赖项:

apt-get install gnupg2 software-properties-common wget unzip -y

接下来,使用以下命令添加 Osquery GPG 密钥:

export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY

接下来,使用以下命令将 Osquery 存储库添加到 APT:

add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'

添加存储库后,更新存储库并使用以下命令安装 Osquery:

apt-get update -y
apt-get install osquery -y

第 3 步 – 连接到 Osquery 控制台

Osquery 提供了一个交互式 shell 来执行查询和探索操作系统的当前状态。

我们可以使用以下命令连接到 Osquery shell:

osqueryi

连接后,我们应该得到以下输出:

Using a virtual database. Need help, type '.help'
osquery>

接下来,使用以下命令显示 Osquery 的默认设置:

osquery> .show

我们应该看到以下输出:

osquery - being built, with love.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
osquery 4.9.0
using SQLite 3.35.5

General settings:
     Flagfile: 
       Config: filesystem (/etc/osquery/osquery.conf)
       Logger: filesystem (/var/log/osquery/)
  Distributed: tls
     Database: ephemeral
   Extensions: core
       Socket: /root/.osquery/shell.em

Shell settings:
         echo: off
      headers: on
         mode: pretty
    nullvalue: ""
       output: stdout
    separator: "|"
        width: 

Non-default flags/options:
  database_path: /root/.osquery/shell.db
  disable_database: true
  disable_events: true
  disable_logging: true
  disable_watchdog: true
  extensions_socket: /root/.osquery/shell.em
  hash_delay: 0
  logtostderr: true
  stderrthreshold: 0

Osquery 有很多表可供查询。 我们可以使用以下命令列出它们:

osquery> .tables

样本输出:

  => acpi_tables
  => apparmor_events
  => apparmor_profiles
  => apt_sources
  => arp_cache
  => atom_packages
  => augeas
  => authorized_keys
  => azure_instance_metadata
  => azure_instance_tags
  => block_devices
  => bpf_process_events
  => bpf_socket_events
  => carbon_black_info
  => carves
  => chrome_extension_content_scripts
  => chrome_extensions
  => cpu_time
  => cpuid
  => crontab
  => curl
  => curl_certificate
  => deb_packages
  => device_file
  => device_hash
  => device_partitions
  => disk_encryption
  => dns_resolvers
  => docker_container_fs_changes
  => docker_container_labels
  => docker_container_mounts
  => docker_container_networks
  => docker_container_ports 

Osquery 有几种显示查询输出的模式。 在这里,我们将使用行模式来显示输出。

要设置线路模式,请运行以下命令:

osquery> .mode line

第 4 步 – 如何使用 Osquery

要获取有关我们正在运行的操作系统的信息,请运行:

osquery> SELECT * FROM system_info;

样本输出:

          hostname = ubuntu2004
              uuid = a83cffe2-50f4-4fea-9ef4-423853fdc122
          cpu_type = x86_64
       cpu_subtype = 6
         cpu_brand = QEMU Virtual CPU version 2.5+
cpu_physical_cores = 1
 cpu_logical_cores = 1
     cpu_microcode = 0x1
   physical_memory = 2084278272
   hardware_vendor = QEMU
    hardware_model = Standard PC (i440FX + PIIX, 1996)
  hardware_version = pc-i440fx-bionic
   hardware_serial = 
      board_vendor = 
       board_model = 
     board_version = 
      board_serial = 
     computer_name = ubuntu2004
    local_hostname = ubuntu2004

要过滤系统信息输出,请运行:

osquery> SELECT hostname, cpu_type, physical_memory, hardware_vendor, hardware_model FROM system_info;

样本输出:

       hostname = ubuntu2004
       cpu_type = x86_64
physical_memory = 2084278272
hardware_vendor = QEMU
 hardware_model = Standard PC (i440FX + PIIX, 1996)

要显示我们的操作系统版本,请运行:

osquery> SELECT * FROM os_version;

样本输出:

         name = Ubuntu
      version = 20.04 LTS (Focal Fossa)
        major = 20
        minor = 4
        patch = 0
        build = 
     platform = ubuntu
platform_like = debian
     codename = focal
         arch = x86_64

要显示我们的内核信息,请运行:

osquery> SELECT * FROM kernel_info;

样本输出:

  version = 5.4.0-29-generic
arguments = ro net.ifnames=0 biosdevname=0 console=ttyS0 console=tty0
     path = /boot/vmlinuz-5.4.0-29-generic
   device = UUID=29a0b164-1ba1-45a7-b23a-cdb98f23edbc

要使用服务名称和 PID 显示所有侦听端口,请运行:

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address="0.0.0.0";

样本输出:

 name = unbound
 port = 53
  pid = 3407

 name = sshd
 port = 22
  pid = 649

 name = unbound
 port = 953
  pid = 3407

 name = darkstat
 port = 666
  pid = 6100

 name = darkstat
 port = 667
  pid = 6109

 name = apt-cacher-ng
 port = 3142
  pid = 4071

 name = ntpd
 port = 123
  pid = 483

要显示 Apache 包的信息,请运行:

osquery> SELECT name, version FROM deb_packages WHERE name="apache2";

样本输出:

+---------+-------------------+
| name    | version           |
+---------+-------------------+
| apache2 | 2.4.41-4ubuntu3.4 |
+---------+-------------------+

要显示系统内存信息,请运行:

osquery> SELECT * FROM memory_info;

样本输出:

+--------------+-------------+----------+-----------+-------------+-----------+-----------+------------+-----------+
| memory_total | memory_free | buffers  | cached    | swap_cached | active    | inactive  | swap_total | swap_free |
+--------------+-------------+----------+-----------+-------------+-----------+-----------+------------+-----------+
| 2084278272   | 1358233600  | 44519424 | 520896512 | 0           | 406622208 | 222449664 | 495411200  | 495411200 |
+--------------+-------------+----------+-----------+-------------+-----------+-----------+------------+-----------+

要显示所有网络接口的信息,请运行:

osquery> SELECT * FROM interface_addresses;

样本输出:

+-----------+-------------------------------+-----------------------------------------+---------------+----------------+---------+
| interface | address                       | mask                                    | broadcast     | point_to_point | type    |
+-----------+-------------------------------+-----------------------------------------+---------------+----------------+---------+
| lo        | 127.0.0.1                     | 255.0.0.0                               |               | 127.0.0.1      | unknown |
| eth0      | 69.87.221.220                 | 255.255.255.0                           | 69.87.221.255 |                | unknown |
| lo        | ::1                           | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |               |                | unknown |
| eth0      | fe80::200:45ff:fe57:dddc%eth0 | ffff:ffff:ffff:ffff::                   |               |                | unknown |
+-----------+-------------------------------+-----------------------------------------+---------------+----------------+---------+

要检查系统正常运行时间,请运行:

osquery> SELECT * FROM uptime;

样本输出:

+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 0    | 1     | 55      | 5       | 6905          |
+------+-------+---------+---------+---------------+

要列出 UID 大于 1000 的所有用户,请运行:

osquery> SELECT * FROM users WHERE uid>=1000;

样本输出:

+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+
| uid   | gid   | uid_signed | gid_signed | username | description | directory    | shell             | uuid |
+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+
| 65534 | 65534 | 65534      | 65534      | nobody   | nobody      | /nonexistent | /usr/sbin/nologin |      |
| 65534 | 65534 | 65534      | 65534      | nobody   | nobody      | /            | /usr/sbin/nologin |      |
+-------+-------+------------+------------+----------+-------------+--------------+-------------------+------+

要检查上次登录的用户,请运行:

osquery> SELECT * FROM last;

样本输出:

+----------+-------+------+------+------------+-----------------+
| username | tty   | pid  | type | time       | host            |
+----------+-------+------+------+------------+-----------------+
| root     | pts/0 | 1013 | 7    | 1629008887 | 106.213.193.155 |
| root     | pts/1 | 3372 | 7    | 1629010656 | 106.213.193.155 |
| root     | pts/2 | 4158 | 7    | 1629013021 | 106.213.193.155 |
+----------+-------+------+------+------------+-----------------+

要显示所有登录用户,请运行:

osquery> SELECT * FROM logged_in_users;

样本输出:

+-----------+----------+------------+------------------+------------+------+
| type      | user     | tty        | host             | time       | pid  |
+-----------+----------+------------+------------------+------------+------+
| boot_time | reboot   | ~          | 5.4.0-29-generic | 1629008369 | 0    |
| init      |          | /dev/tty1  |                  | 1629008378 | 491  |
| init      |          | /dev/ttyS0 |                  | 1629008378 | 484  |
| login     | LOGIN    | ttyS0      |                  | 1629008378 | 484  |
| login     | LOGIN    | tty1       |                  | 1629008378 | 491  |
| runlevel  | runlevel | ~          | 5.4.0-29-generic | 1629008383 | 53   |
| user      | root     | pts/0      | 106.213.193.155  | 1629008887 | 1013 |
| user      | root     | pts/1      | 106.213.193.155  | 1629010656 | 3372 |
| user      | root     | pts/2      | 106.213.193.155  | 1629013021 | 4158 |
+-----------+----------+------------+------------------+------------+------+

在上面的指南中,我们解释了如何安装和使用 Osquery 通过运行基于 SQL 的查询从操作系统获取数据。 它是一个非常有用且易于使用的工具,可用于查找后门、恶意软件、僵尸进程等。 立即从 在我们的 VPS 上开始使用 Osquery!

© 版权声明
THE END
喜欢就支持一下吧
点赞10 分享
评论 抢沙发

请登录后发表评论