Last Updated: 6/26/2024
This is a place holder. You can use osquery as a easy way to query information about your workstations. Fleet – which is a GUI portal can use osquery to … well manage information about your nodes.
The beauty of using this is that you can reference everything as a query. This can serve as a fundamental building block to answer so many questions.
For downloads please visit: https://osquery.io/downloads/official/5.12.1
You will need to know to adapt as the pages/version change. While this post is great for this point in time... this product is actively updated and so the links will change. I do attempt to update this on a regular basis. (where the definition of regular might not be that regular)
You can download the binary. For example for debian – at the time of this writing I can use
wget https://pkg.osquery.io/deb/osquery_5.12.1-1.linux_amd64.debInstalling the package
root@node1:/home/ubuntu# dpkg -i osquery_5.12.1-1.linux_amd64.deb
root@nodeb-01:~/dev# dpkg -i osquery_5.12.1-1.linux_amd64.deb
Selecting previously unselected package osquery.
(Reading database ... 120970 files and directories currently installed.)
Preparing to unpack osquery_5.12.1-1.linux_amd64.deb ...
Unpacking osquery (5.12.1-1.linux) ...
Setting up osquery (5.12.1-1.linux) ...
1291Query users
root@node1:/home/ubuntu# osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * from users
...> ;
+-------+-------+------------+------------+------------------+------------------------------------+--------------------------+-------------------+------+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+-------+-------+------------+------------+------------------+------------------------------------+--------------------------+-------------------+------+
| 0 | 0 | 0 | 0 | root | root | /root | /bin/bash | |
| 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | |
| 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | |
Using pragma to explore table schema.
osquery> PRAGMA table_info(routes);
+-----+-------------+---------+---------+------------+----+
| cid | name | type | notnull | dflt_value | pk |
+-----+-------------+---------+---------+------------+----+
| 0 | destination | TEXT | 1 | | 1 |
| 1 | netmask | INTEGER | 1 | | 2 |
| 2 | gateway | TEXT | 1 | | 3 |
| 3 | source | TEXT | 1 | | 4 |
| 4 | flags | INTEGER | 1 | | 5 |
| 5 | interface | TEXT | 1 | | 6 |
| 6 | mtu | INTEGER | 1 | | 7 |
| 7 | metric | INTEGER | 1 | | 8 |
| 8 | type | TEXT | 1 | | 9 |
| 9 | hopcount | INTEGER | 1 | | 10 |
+-----+-------------+---------+---------+------------+----+
To get select system_info;
osquery> select hostname, hardware_model from system_info;
+----------+-------------------------+
| hostname | hardware_model |
+----------+-------------------------+
| nodeb-01 | VMware Virtual Platform |
+----------+-------------------------+
To get a list of tables you can use the “.table” command
root@nodeb-01:~/dev# osqueryi
Using a virtual database. Need help, type '.help'
osquery> .tables
=> acpi_tables
=> apparmor_events
To review mounts.
select device,path from mounts;os_version:
osquery> select name,version from os_version;
+--------+-------------------------------+
| name | version |
+--------+-------------------------------+
| Ubuntu | 22.04.4 LTS (Jammy Jellyfish) |
+--------+-------------------------------+
Get some device data.
osquery> select name,size from block_devices;
+------------+----------+
| name | size |
+------------+----------+
| /dev/sda | 67108864 |
| /dev/sda1 | 2048 |
| /dev/sda2 | 4194304 |
| /dev/sda3 | 62908416 |
| /dev/sr0 | 2880612 |
| /dev/loop0 | 126896 |
| /dev/loop1 | 130960 |
| /dev/loop2 | 163736 |
| /dev/loop3 | 178240 |
| /dev/loop4 | 79520 |
| /dev/loop5 | 0 |
| /dev/loop6 | 0 |
| /dev/loop7 | 0 |
| /dev/dm-0 | 31449088 |
+------------+----------+
references:
https://www.starwindsoftware.com/blog/how-to-install-and-use-osquery-on-ubuntu-and-linux-mint
https://osquery.readthedocs.io/en/latest/