Installation of osquery in Ubuntu
I have always wanted to use osquery and checkout the capabliity so what I can understand how it can help me identifyting aversaries in my environment. But to do that, first I needed to understand how it all works. In the post, I will be installing osquery and checking out its power and how it can assist me in protecting my environment.
Follow the steps below to perform the installation of osqueryi in virtual machine with following:
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
$ uname -a
Linux osquery1 6.2.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Install some packages
sudo apt install curl
We need to add the repository in order to install osquery.
curl -fsSL https://pkg.osquery.io/deb/pubkey.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/osquery.gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.gpg] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list > /dev/null
sudo apt update
sudo apt install osquery
==> OUTPUT
Hit:1 http://gb.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:3 http://gb.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:4 http://gb.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:5 https://osquery-packages.s3.us-east-1.amazonaws.com/deb deb InRelease [69.9 kB]
Get:6 https://osquery-packages.s3.us-east-1.amazonaws.com/deb deb/main amd64 Packages [20.7 kB]
Fetched 90.6 kB in 1s (84.0 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
327 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
osquery
0 upgraded, 1 newly installed, 0 to remove and 327 not upgraded.
Need to get 30.0 MB of archives.
After this operation, 86.0 MB of additional disk space will be used.
Get:1 https://osquery-packages.s3.us-east-1.amazonaws.com/deb deb/main amd64 osquery amd64 5.9.1-1.linux [30.0 MB]
Fetched 30.0 MB in 9s (3,382 kB/s)
Selecting previously unselected package osquery.
(Reading database ... 203957 files and directories currently installed.)
Preparing to unpack .../osquery_5.9.1-1.linux_amd64.deb ...
Unpacking osquery (5.9.1-1.linux) ...
Setting up osquery (5.9.1-1.linux) ...
1464
osquery now should be installed and we can now run it now.
$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.connect PATH Connect to an osquery extension socket
.disconnect Disconnect from a connected extension socket
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the local osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
