Ubuntu20.04にOsqueryをインストールするメモ

2021年10月2日

1.sources.listを追加

# echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
deb [arch=amd64] https://pkg.osquery.io/deb deb main

2.署名キーをインポート

# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Executing: /tmp/apt-key-gpghome.QJPCIhhKIK/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
gpg: 鍵97A80C63C9D8B80B: 公開鍵"osquery (osquery) <osquery@fb.com>"をインポート しました
gpg: 処理数の合計: 1
gpg: インポート: 1

3.パッケージをアップデート
# sudo apt update

4.osqueryをインストール

# sudo apt install osquery
略
.../osquery_5.0.1-1.linux_amd64.deb を展開する準備をしています ...
osquery (5.0.1-1.linux) を展開しています...
osquery (5.0.1-1.linux) を設定しています ...
systemd (245.4-4ubuntu3.11) のトリガを処理しています ...

5.使い方

Using a virtual database. Need help, type '.help'
osquery> select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
osquery> select name, version, patch, platform from os_version;
+--------+---------------------------+-------+----------+
| name   | version                   | patch | platform |
+--------+---------------------------+-------+----------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 0     | ubuntu   |
+--------+---------------------------+-------+----------+

コマンド

osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.connect PATH    Connect to an osquery extension socket
.disconnect      Disconnect from a connected extension socket
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the local osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.types [SQL]     Show result of getQueryColumns for the given query
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off
osquery> .exit