Bii o ṣe le ṣetọju Aabo olupin Linux pẹlu Osquery

Osquery jẹ orisun ṣiṣi ọfẹ, agbara ati ipilẹ agbelebu Syeed ohun elo ẹrọ ṣiṣe, ibojuwo, ati ilana atupale fun Lainos, FreeBSD, Windows, ati Mac/OS X awọn ọna ṣiṣe, ti Facebook ṣe. O jẹ oluwakiri ẹrọ ṣiṣe ti o rọrun ati rọrun-lati-lo.

O daapọ nọmba awọn irinṣẹ eyiti o ṣe awọn atupale OS ipele-kekere ati ibojuwo; awọn irinṣẹ wọnyi ṣafihan ẹrọ ṣiṣe bi ipilẹ data ibatan ibatan giga gẹgẹbi MySQL/MariaDB, PostgreSQL ati diẹ sii, nibiti awọn imọran OS ṣe aṣoju ni fọọmu tabula, nitorinaa gba awọn olumulo laaye lati lo awọn aṣẹ SQL lati ṣe abojuto eto ati atupale.

Osquery lo ohun itanna ti o rọrun ati awọn amugbooro API lati ṣe awọn tabili SQL, gbigba ti awọn tabili wa tẹlẹ wa ti o ṣetan fun lilo, ati pe a ti kọ diẹ sii. Diẹ ninu awọn tabili le ṣee ri lori ẹrọ ṣiṣe kan pato, fun apẹẹrẹ, iwọ nikan wa tabili kernel_modules lori awọn eto Linux.

Ni afikun, o le ṣiṣe awọn ibeere lati ṣe atẹle ati itupalẹ ipinlẹ OS lori ogun kan nipasẹ ikarahun osqueryi, tabi lori ọpọlọpọ awọn ọmọ-ogun lori nẹtiwọọki kan nipasẹ oluṣeto kan tabi ṣe wọn lati eyikeyi awọn ohun elo aṣa rẹ nipa lilo APIs osquery Thrift.

Bii o ṣe le Fi Osquery sii ni Lainos

O le fi sori ẹrọ Osquery lati ibi ipamọ osise nipasẹ lilo irinṣẹ iṣakoso package dnf lori pinpin Linux tirẹ gẹgẹ bi o ti han.

$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
$ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
$ sudo apt update
$ sudo apt install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm-repo
$ sudo yum install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo dnf config-manager --set-enabled osquery-s3-rpm
$ sudo dnf install osquery

Bii o ṣe le ṣe Atẹle ati Itupalẹ Lainos Lilo Osquery

Lọgan ti o ba ti fi Osquery sori ẹrọ daradara lori ẹrọ rẹ, ṣe ifilọlẹ ikarahun osqueryi lati bẹrẹ wiwa ipo OS rẹ bi o ti han.

$ osqueryi

Using a virtual database. Need help, type '.help'
osquery> 

Lati gba alaye eto Linux ti a ṣe akopọ ṣiṣe aṣẹ wọnyi.

osquery> SELECT  * FROM system_info;

Lati gba atokọ agbekalẹ daradara ti gbogbo awọn olumulo lori eto Linux, ṣiṣe ibeere atẹle.

osquery> SELECT * FROM users;

Lati gba atokọ ti gbogbo awọn modulu ekuro Linux ati ipo wọn, ṣiṣe ibeere atẹle.

osquery> SELECT * FROM kernel_modules;

Lati gba atokọ ti gbogbo awọn idii RPM ti a fi sii lori CentOS, RHEL ati Fedora, ṣiṣe ibeere atẹle.

osquery> .all rpm_packages;

Lati gba alaye nipa ṣiṣe awọn ilana Lainos, ṣiṣe ibeere atẹle.

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';

Ti o ba n ṣiṣẹ osquery lori tabili tabili kan ti o si ti fi Firefox tabi Chrome sori ẹrọ, o le ṣe atokọ gbogbo awọn afikun rẹ nipa lilo ibeere atẹle.

osquery> .all firefox_addons;
osquery> .all  chrome_extensions;

Lati ṣe afihan atokọ ti gbogbo awọn tabili imuse ni Linux, lo aṣẹ .tabulu bi o ti han.

osquery> .tables;	#list all implemented tables
osquery> .help; 	#view help message

Osquery tun pese ibojuwo iduroṣinṣin faili (FIM), ati ilana ati awọn ẹya iṣatunwo iho ati diẹ sii, nitorinaa o jẹ ohun elo idanimọ ifọle, ṣugbọn eyi pe fun awọn atunto kan ṣaaju ki o to gbe lọ fun iru idi bẹẹ. O le wa alaye diẹ sii lati ibi ipamọ Osquery Github.