Ubuntu20.04にOsqueryをインストールするメモ

1.sources.listを追加

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
deb [arch=amd64] https://pkg.osquery.io/deb deb main
# echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list deb [arch=amd64] https://pkg.osquery.io/deb deb main
# echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
deb [arch=amd64] https://pkg.osquery.io/deb deb main

2.署名キーをインポート

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Executing: /tmp/apt-key-gpghome.QJPCIhhKIK/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
gpg: 鍵97A80C63C9D8B80B: 公開鍵"osquery (osquery) <osquery@fb.com>"をインポート しました
gpg: 処理数の合計: 1
gpg: インポート: 1
# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B Executing: /tmp/apt-key-gpghome.QJPCIhhKIK/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B gpg: 鍵97A80C63C9D8B80B: 公開鍵"osquery (osquery) <osquery@fb.com>"をインポート しました gpg: 処理数の合計: 1 gpg: インポート: 1
# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Executing: /tmp/apt-key-gpghome.QJPCIhhKIK/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
gpg: 鍵97A80C63C9D8B80B: 公開鍵"osquery (osquery) <osquery@fb.com>"をインポート しました
gpg: 処理数の合計: 1
gpg: インポート: 1

3.パッケージをアップデート
# sudo apt update

4.osqueryをインストール

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# sudo apt install osquery
.../osquery_5.0.1-1.linux_amd64.deb を展開する準備をしています ...
osquery (5.0.1-1.linux) を展開しています...
osquery (5.0.1-1.linux) を設定しています ...
systemd (245.4-4ubuntu3.11) のトリガを処理しています ...
# sudo apt install osquery 略 .../osquery_5.0.1-1.linux_amd64.deb を展開する準備をしています ... osquery (5.0.1-1.linux) を展開しています... osquery (5.0.1-1.linux) を設定しています ... systemd (245.4-4ubuntu3.11) のトリガを処理しています ...
# sudo apt install osquery
略
.../osquery_5.0.1-1.linux_amd64.deb を展開する準備をしています ...
osquery (5.0.1-1.linux) を展開しています...
osquery (5.0.1-1.linux) を設定しています ...
systemd (245.4-4ubuntu3.11) のトリガを処理しています ...

5.使い方

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Using a virtual database. Need help, type '.help'
osquery> select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name | version | major | minor | patch | build | platform | platform_like | codename | arch |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20 | 4 | 0 | | ubuntu | debian | focal | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
osquery> select name, version, patch, platform from os_version;
+--------+---------------------------+-------+----------+
| name | version | patch | platform |
+--------+---------------------------+-------+----------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 0 | ubuntu |
+--------+---------------------------+-------+----------+
Using a virtual database. Need help, type '.help' osquery> select * from os_version; +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+ | name | version | major | minor | patch | build | platform | platform_like | codename | arch | +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+ | Ubuntu | 20.04.3 LTS (Focal Fossa) | 20 | 4 | 0 | | ubuntu | debian | focal | x86_64 | +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+ osquery> select name, version, patch, platform from os_version; +--------+---------------------------+-------+----------+ | name | version | patch | platform | +--------+---------------------------+-------+----------+ | Ubuntu | 20.04.3 LTS (Focal Fossa) | 0 | ubuntu | +--------+---------------------------+-------+----------+
Using a virtual database. Need help, type '.help'
osquery> select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
osquery> select name, version, patch, platform from os_version;
+--------+---------------------------+-------+----------+
| name   | version                   | patch | platform |
+--------+---------------------------+-------+----------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 0     | ubuntu   |
+--------+---------------------------+-------+----------+

コマンド

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error
.connect PATH Connect to an osquery extension socket
.disconnect Disconnect from a connected extension socket
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.features List osquery's features and their statuses
.headers ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns see .width
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results (default)
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode
.socket Show the local osquery extensions socket path
.show Show the current values for various settings
.summary Alias for the show meta command
.tables [TABLE] List names of tables
.types [SQL] Show result of getQueryColumns for the given query
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
osquery> .exit
osquery> .help Welcome to the osquery shell. Please explore your OS! You are connected to a transient 'in-memory' virtual database. .all [TABLE] Select all from a table .bail ON|OFF Stop after hitting an error .connect PATH Connect to an osquery extension socket .disconnect Disconnect from a connected extension socket .echo ON|OFF Turn command echo on or off .exit Exit this program .features List osquery's features and their statuses .headers ON|OFF Turn display of headers on or off .help Show this message .mode MODE Set output mode where MODE is one of: csv Comma-separated values column Left-aligned columns see .width line One value per line list Values delimited by .separator string pretty Pretty printed SQL results (default) .nullvalue STR Use STRING in place of NULL values .print STR... Print literal STRING .quit Exit this program .schema [TABLE] Show the CREATE statements .separator STR Change separator used by output mode .socket Show the local osquery extensions socket path .show Show the current values for various settings .summary Alias for the show meta command .tables [TABLE] List names of tables .types [SQL] Show result of getQueryColumns for the given query .width [NUM1]+ Set column widths for "column" mode .timer ON|OFF Turn the CPU timer measurement on or off osquery> .exit
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.connect PATH    Connect to an osquery extension socket
.disconnect      Disconnect from a connected extension socket
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the local osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off
osquery> .exit

 

関連投稿:

  1. Ubuntu 20.04にパッケージ情報をアップグレード方法
  2. Ubuntu 20.04にNTPd をインストールする
  3. Ubuntu 20.04にnginxをインストールする
  4. Ubuntu 20.04にpowershellをインストールする

Ubuntu 20.04

Posted by arkgame