Step by Step Guide to Install Osquery Framework on Ubuntu 20.04 LTS

Osquery is a free & open-source cross platform framework. It can be used to expose an operating system as a relational database. We can get information from the operating system by running SQL based queries.

There are few steps to install Osquery on ubuntu:

Step 1: Update the System.

apt-get update

Step 2: To add the repo.

echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list

  • To import he key.

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B

  • Here is the command output.

Step 3: Update the packages.

apt-get update

Step 4: Install the Osquery.

apt-get install osquery

  • Check the Osquery version.

osqueryi --version

Step 5: Osquery syntax & Examples.

osquery

  • Here is the command output.

  • To list the available options.

osquery> .help

  • Here is the command output.

  • To list the available Tables.

osquery> .tables

  • Here is the command output.

  • To list all the users.

osquery> SELECT * FROM users;

  • Here is the command output.

  • To list all the system users.

osquery> SELECT username FROM users;

  • Here is the command output.

  • To list the user with directories.

osquery> SELECT username, directory FROM users;

  • Here is the command output.

  • To get the information about root user.

osquery> SELECT * FROM users WHERE username="root";

  • To list all the processes.

osquery> SELECT * FROM processes LIMIT 5;

  • Here is the command output.

  • To check OS version.

osquery> SELECT * FROM os_version;

  • To check Network interface & ip-addresses.

osquery> SELECT interface,address,mask FROM interface_addresses WHERE interface NOT LIKE '%lo%';

  • Here is the command output.

  • To check system memory.

SELECT memory_total FROM memory_info;

  • To check system free memory.

osquery> SELECT memory_free FROM memory_info;

  • To check Cache memory.

osquery> select cached from memory_info;

  • Here is the command output.

  • To list all groups.

osquery> SELECT * FROM groups;

  • Here is the command output.

  • To list the listening ports.

osquery> SELECT * FROM listening_ports;

  • Here is the command output.

 

Leave a Reply