osquery 安装如下:
配置文件如下
[root@localhost ~]# cat /etc/osquery/osquery.conf
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"behavioral_reverse_shell": {
"query" : "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash' OR name='nc') AND remote_address NOT IN ('0.0.0.0', '::', '');",
"interval" : 10,
"description" : "Find shell processes that have open sockets"
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
日志如下:/var/log/osquery/osqueryd.results.log
[root@localhost ~]# tail -f /var/log/osquery/osqueryd.results.log
<blockquote>{"name":"behavioral_reverse_shell","hostIdentifier":"localhost.localdomain","calendarTime":"Sat Jun 1 09:12:30 2019 UTC","unixTime":1559380350,"epoch":0,"counter":880,"decorations":{"host_uuid":"564DBA8F-DC7F-D491-DF58-A9908DA09B80","username":"root"},"columns":{"cmdline":"bash -i","cwd":"/root","gid":"0","name":"bash","parent":"63338","parent_cmdline":"-bash","path":"/usr/bin/bash","pid":"64411","remote_address":"127.0.0.1","remote_port":"8888","root":"/","start_time":"3887087","uid":"0"},"action":"added"} |
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜