osquery简单试用

备注:

 osquery  facebook 开源的将操作系统指标转换为sql 查询,方便好用,很适合devops 性能分析,系统监控

1. 安装

参考 https://osquery.io/downloads/official/2.11.2
我使用的是centos 使用rpm 包安装

wget https://pkg.osquery.io/rpm/osquery-2.11.2-1.linux.x86_64.rpm

yum install -y osquery-2.11.2-1.linux.x86_64.rpm
 
2. 基本使用
a. 简单sql

osqueryi

比如我要查询系统的用户

select * from users;

b. 查看系统的表

.table

=> acpi_tables
  => apt_sources
  => arp_cache
  => augeas
  => authorized_keys
  => block_devices
  => carbon_black_info
  => carves
  => chrome_extensions
  => cpu_time
  => cpuid
  => crontab
  => curl
  => curl_certificate
  => deb_packages
  => device_file
  => device_hash
  => device_partitions
  => disk_encryption
  => dns_resolvers
  => docker_container_labels
  => docker_container_mounts
  => docker_container_networks
  => docker_container_ports
  => docker_container_processes
  => docker_container_stats
  => docker_containers
  => docker_image_labels
  => docker_images
  => docker_info
  => docker_network_labels
  => docker_networks
  => docker_version
  => docker_volume_labels
  => docker_volumes
  => ec2_instance_metadata
  => ec2_instance_tags
  => etc_hosts
  => etc_protocols
  => etc_services
  => file
  => file_events
  => firefox_addons
  => groups
  => hardware_events
  => hash
  => intel_me_info
  => interface_addresses
  => interface_details
  => iptables
  => kernel_info
  => kernel_integrity
  => kernel_modules
  => known_hosts
  => last
  => listening_ports
  => lldp_neighbors
  => load_average
  => logged_in_users
  => magic
  => md_devices
  => md_drives
  => md_personalities
  => memory_info
  => memory_map
  => mounts
  => msr
  => opera_extensions
  => os_version
  => osquery_events
  => osquery_extensions
  => osquery_flags
  => osquery_info
  => osquery_packs
  => osquery_registry
  => osquery_schedule
  => pci_devices
  => platform_info
  => portage_keywords
  => portage_packages
  => portage_use
  => process_envs
  => process_events
  => process_memory_map
  => process_open_files
  => process_open_sockets
  => processes
  => prometheus_metrics
  => python_packages
  => routes
  => rpm_package_files
  => rpm_packages
  => shadow
  => shared_memory
  => shell_history
  => smbios_tables
  => socket_events
  => startup_items
  => sudoers
  => suid_bin
  => syslog_events
  => system_controls
  => system_info
  => time
  => uptime
  => usb_devices
  => user_events
  => user_groups
  => user_ssh_keys
  => users
  => yara
  => yara_events

c.  查看表schema

.schema table_name 
比如:
.schema users

.schema users
CREATE TABLE users(`uid` BIGINT, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT, `type` TEXT HIDDEN, PRIMARY KEY (`uid`, `username`)) WITHOUT ROWID;

备注:就是写sql,实际需要的就是查询对应表的数据,很强很大,同时基本主流操作系统都支持
 
3. 几个小技巧
修改模式
.mode line 类似mysql  \G
.table  系统表
.schema  表结构
 
 
4. 参考资料
https://osquery.io/
·