备注:
osquery facebook 开源的将操作系统指标转换为sql 查询,方便好用,很适合devops 性能分析,系统监控
1. 安装
参考 https://osquery.io/downloads/official/2.11.2
我使用的是centos 使用rpm 包安装
wget https://pkg.osquery.io/rpm/osquery-2.11.2-1.linux.x86_64.rpm
yum install -y osquery-2.11.2-1.linux.x86_64.rpm
2. 基本使用
a. 简单sql
osqueryi
比如我要查询系统的用户
select * from users;
b. 查看系统的表
.table
=> acpi_tables
=> apt_sources
=> arp_cache
=> augeas
=> authorized_keys
=> block_devices
=> carbon_black_info
=> carves
=> chrome_extensions
=> cpu_time
=> cpuid
=> crontab
=> curl
=> curl_certificate
=> deb_packages
=> device_file
=> device_hash
=> device_partitions
=> disk_encryption
=> dns_resolvers
=> docker_container_labels
=> docker_container_mounts
=> docker_container_networks
=> docker_container_ports
=> docker_container_processes
=> docker_container_stats
=> docker_containers
=> docker_image_labels
=> docker_images
=> docker_info
=> docker_network_labels
=> docker_networks
=> docker_version
=> docker_volume_labels
=> docker_volumes
=> ec2_instance_metadata
=> ec2_instance_tags
=> etc_hosts
=> etc_protocols
=> etc_services
=> file
=> file_events
=> firefox_addons
=> groups
=> hardware_events
=> hash
=> intel_me_info
=> interface_addresses
=> interface_details
=> iptables
=> kernel_info
=> kernel_integrity
=> kernel_modules
=> known_hosts
=> last
=> listening_ports
=> lldp_neighbors
=> load_average
=> logged_in_users
=> magic
=> md_devices
=> md_drives
=> md_personalities
=> memory_info
=> memory_map
=> mounts
=> msr
=> opera_extensions
=> os_version
=> osquery_events
=> osquery_extensions
=> osquery_flags
=> osquery_info
=> osquery_packs
=> osquery_registry
=> osquery_schedule
=> pci_devices
=> platform_info
=> portage_keywords
=> portage_packages
=> portage_use
=> process_envs
=> process_events
=> process_memory_map
=> process_open_files
=> process_open_sockets
=> processes
=> prometheus_metrics
=> python_packages
=> routes
=> rpm_package_files
=> rpm_packages
=> shadow
=> shared_memory
=> shell_history
=> smbios_tables
=> socket_events
=> startup_items
=> sudoers
=> suid_bin
=> syslog_events
=> system_controls
=> system_info
=> time
=> uptime
=> usb_devices
=> user_events
=> user_groups
=> user_ssh_keys
=> users
=> yara
=> yara_events
c. 查看表schema
.schema table_name
比如:
.schema users
.schema users
CREATE TABLE users(`uid` BIGINT, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT, `type` TEXT HIDDEN, PRIMARY KEY (`uid`, `username`)) WITHOUT ROWID;
备注:就是写sql,实际需要的就是查询对应表的数据,很强很大,同时基本主流操作系统都支持
3. 几个小技巧
修改模式
.mode line 类似mysql \G
.table 系统表
.schema 表结构
4. 参考资料
https://osquery.io/