osquery is a robust, free, and open-source tool developed by Facebook. It allows users to query a wealth of operating system-related information such as memory usage, installed packages, process specifics, login users, listening ports, and much more. osquery is versatile, running on a range of operating systems including Windows, Linux, FreeBSD, and MacOS. This tool is essential for troubleshooting performance and operational issues, and it provides a suite of analytical and monitoring tools for system administrators.
In this tutorial, we will explore how to install and use osquery on Debian 10.
Prerequisites
- A server running Debian 10.
- Root user access to the server.
Getting Started
Before diving into the installation, ensure your system’s packages are up to date. Run the following commands to update all packages:
apt-get update -y apt-get upgrade -y
After the updates are complete, restart your system to apply these changes.
Install osquery
osquery is not included in the default Debian 10 repository, so you must add its repository to your system.
First, download and add the GPG key with the command below:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Next, add the osquery repository with this command:
apt-get install software-properties-common -y add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
Update the repository list and install osquery by executing:
apt-get update -y apt-get install osquery -y
Once the installation is complete, initiate the osquery service using the following command:
osqueryctl start osqueryd
To verify the osquery status, use this command:
osqueryctl status osqueryd
You should see output indicating the daemon is active and running.
Working with osquery
osquery comprises three key components: osqueryi, osqueryd, and osqueryctl. The osqueryi is an interactive shell for executing queries and inspecting your operating system. In contrast, osqueryd is a monitoring daemon for scheduling queries and tracking OS state changes. The osqueryctl is a useful script for testing configurations.
To access the osquery shell, execute:
osqueryi
This should return a message indicating connection to a virtual database. For a full list of available commands, type:
osquery> .help
The return will include a variety of usable commands and utilities to perform system queries.
Monitor Your System with osquery
osquery enables monitoring of various system parameters like memory usage, process information, disk space, login users, and more. Launch the osquery shell with:
osqueryi
Use the following examples for system queries:
-
- Get system information:
osquery> select hostname,cpu_physical_cores,physical_memory from system_info;
-
- SSH config details:
osquery> select * from ssh_configs;
-
- List all system users:
osquery> SELECT * FROM users;
-
- Top process details:
osquery> select count(pid) as total, name from processes group by name order by total desc limit 5;
Conclusion
In this guide, we successfully installed and utilized osquery on Debian 10. osquery is a useful tool for detecting backdoors, malware, and any undesirable processes in your system. For more detailed information, visit the osquery documentation.
FAQ
- Can I run osquery on other systems besides Debian?
Yes, osquery is compatible with multiple operating systems such as Windows, Linux (different distributions), FreeBSD, and MacOS.
- Do I need root access to install osquery?
Yes, installation and certain functionalities require root privileges for proper setup and execution on Debian.
- What are the main components of osquery?
osquery consists of osqueryi, a shell for interactive querying; osqueryd, a daemon for scheduling and monitoring; and osqueryctl, a configuration testing script.
- How do I update osquery?
Simply run the standard update commands `apt-get update` and `apt-get upgrade` to update any software, including osquery, if updates are available.
- Is osquery suitable for production environments?
Yes, osquery is designed to be secure, efficient, and comprehensive, making it suitable for both development and production environments.