Yadda ake Kula da Tsaron Sabar Linux tare da Osquery

Osquery shine tushen budewa kyauta, mai ƙarfi da giciye-dandamali na tushen tsarin aiki na SQL, saka idanu, da tsarin nazari don Linux, FreeBSD, Windows, da Mac/OS X tsarin, wanda Facebook ya gina. Mai binciken tsarin aiki ne mai sauƙi kuma mai sauƙin amfani.

Yana haɗa nau'ikan kayan aikin da ke yin ƙananan ƙididdigar OS da saka idanu; waɗannan kayan aikin suna bayyana tsarin aiki azaman babban bayanai na alaƙa kamar MySQL/MariaDB, PostgreSQL da ƙari, inda aka wakilta ra'ayoyin OS a cikin tsari, don haka ba da damar masu amfani suyi amfani da umarnin SQL don aiwatar da tsarin kulawa da nazari.

Osquery yana amfani da plugin mai sauƙi da kari API don aiwatar da allunan SQL, akwai tarin allunan da ke wanzuwa a shirye don amfani, kuma ana rubuta ƙari. Ana iya samun wasu tebur akan takamaiman tsarin aiki, alal misali, kawai kuna samun tebur kernel_modules akan tsarin Linux.

Bugu da ƙari, za ku iya gudanar da tambayoyin don saka idanu da kuma nazarin yanayin OS akan runduna ɗaya ta hanyar osqueryi harsashi, ko a kan runduna da yawa a kan hanyar sadarwa ta hanyar mai tsarawa ko aiwatar da su daga kowane aikace-aikacenku na al'ada ta amfani da APIs Thrift.

Yadda ake Sanya Osquery a Linux

Ana iya shigar da Osquery daga ma'ajiyar hukuma ta amfani da kayan aikin sarrafa fakitin dnf akan rarraba Linux ɗin ku kamar yadda aka nuna.

$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
$ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
$ sudo apt update
$ sudo apt install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm-repo
$ sudo yum install osquery

$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
$ dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo dnf config-manager --set-enabled osquery-s3-rpm
$ sudo dnf install osquery

Yadda ake Saka idanu da Binciken Linux Ta amfani da Osquery

Da zarar kun sami nasarar shigar da Osquery akan na'urarku, buɗe osquery harsashi don fara tambayar yanayin OS ɗin ku kamar yadda aka nuna.

$ osqueryi

Using a virtual database. Need help, type '.help'
osquery> 

Don samun taƙaitaccen bayanin tsarin Linux gudanar da umarni mai zuwa.

osquery> SELECT  * FROM system_info;

Don samun ingantaccen tsarin duk masu amfani akan tsarin Linux, gudanar da tambaya mai zuwa.

osquery> SELECT * FROM users;

Don samun jerin duk nau'ikan kernel na Linux da matsayinsu, gudanar da tambaya mai zuwa.

osquery> SELECT * FROM kernel_modules;

Don samun jerin duk fakitin RPM da aka shigar akan CentOS, RHEL da Fedora, gudanar da tambaya mai zuwa.

osquery> .all rpm_packages;

Don samun bayani game da tafiyar da ayyukan Linux, gudanar da tambaya mai zuwa.

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';

Idan kuna gudana osquery akan tebur kuma an shigar da Firefox ko Chrome, zaku iya jera duk abubuwan da kuka ƙara ta amfani da tambaya mai zuwa.

osquery> .all firefox_addons;
osquery> .all  chrome_extensions;

Don nuna jerin duk allunan da aka aiwatar a cikin Linux, yi amfani da umarnin .tables kamar yadda aka nuna.

osquery> .tables;	#list all implemented tables
osquery> .help; 	#view help message

Har ila yau Osquery yana ba da sa ido kan ingancin fayil (FIM), da tsari da fasalin binciken soket da ƙari, don haka kayan aiki ne na gano kutse, amma wannan yana buƙatar wasu ƙayyadaddun ƙayyadaddun bayanai kafin a tura shi don irin wannan dalili. Kuna iya samun ƙarin bayani daga ma'ajiyar Osquery Github.