How to Monitor Linux Server Security with Osquery

An operating system is transformed into a massive database with tables that you may query using SQL-like commands using the open-source security application osquery. With the help of these queries, you can do security audits of the target server, monitor file integrity, and more. You can also examine the firewall’s status and settings. It is a cross-platform program that works with current releases of macOS, Windows 10, CentOS, and Ubuntu. It was developed by Facebook and is officially referred to as a “SQL-powered operating system instrumentation, monitoring, and analytics” framework. Using osquery, you can issue commands to your server like select * from logged-in users; and receive results similar to this:

Stepwise Implementation

Step 1: Osquery installation on the server

Osquery may be installed via package management or by assembling it from the source. You must add the project’s official Ubuntu repository to your system because there isn’t an installable package there.

Add the public key for the repository first:

$ sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B800

 

Step 2: Add the repository next:

$ sudo add-apt-repository “deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/xenial xenial main”

 

Step 3: Update the package database:

$ sudo apt-get update

Numerous command-line flags and configuration options will be included in the output. A portion of the test server output used for this article is displayed below.

 

Step 4: The simplest way to list and query the out-of-the-box osquery tables is to run osqueryi. Use the following command to start it as an illustration:

$ osqueryi --verbose

 

Step 5: Allowing Osquery access to the system log

In this step, we’ll change the syslog program on the operating system to make it possible for osquery to access and query the system log. That entails changing the Rsyslog configuration file on Ubuntu 16.04. And all that needs to be changed is the addition of a few lines of code to the configuration file.

Open the /etc/rsyslog.conf file first:

$ sudo nano /etc/rsyslog.conf

 

Step 6: Osquery Configuration File Creation

Use the following command to produce and launch the configuration file:

$ sudo nano /etc/osquery/osquery.conf

 

Step 7: Osquery File Integrity Monitoring Pack Configuration in 

Open the newly created file in your editor.

$ sudo nano /usr/share/osquery/packs/fim.conf

 

Step 8: Conducting Ad-hoc Security Checks using Osqueryi

Type “osquery” to start osquery with a configuration file.

$ sudo osqueryi –config_path /etc/osquery/osquery.conf –verbose

 

Step 9: Osqueryd execution of the configuration file has already been established, all that is required now is for the daemon to be started:

$ sudo systemctl start osqueryd

 

The size of /var/log/osquery/osqueryd.results.log should grow shortly after the daemon is started. By repeatedly entering the following command, you can see that happening:

$ sudo osqueryctl start

 

Press CTRL+C to stop tailing the log.

Conclusion:

Osquery is a strong tool that allows you to conduct scheduled and ad-hoc queries using the well-known SQL syntax. The osquery component for creating one-off queries is called osqueryi, and the one for scheduling queries is called osqueryd. You must send the results of scheduled queries to an outside log analysis tool in order to interpret them. Visit https://osquery.io/ to learn more about osquery.