October 28, 2019 ( last updated : October 27, 2019 )
File Integrity Monitoring (FIM)
File Integrity Monitoring
osquery
https://github.com/gridgentoo/osquery
Osquery created by Facebook. Osquery is an open source operating system instrumentation, monitoring, and analytics. Created by Facebook, it exposes an operating system as a high-performance relational database that can be queried using SQL-based queries.
Maintaining real-time insight into the current state of your infrastructure is important. At Facebook, we’ve been working on a framework called osquery which attempts to approach the concept of low-level operating system monitoring a little differently.
Introducing osquery. Osquery created by Facebook.
Osquery exposes an operating system as a high-performance relational database. This design allows you to write SQL-based queries efficiently and easily to explore operating systems. With osquery, SQL tables represent the current state of operating system attributes, such as:
SQL tables are implemented via an easily extendable API. Several tables already exist and more are being written. To best understand the expressiveness that is afforded to you by osquery, consider the following examples.
This first example illustrates how you might use osquery to interact with the processes that are running on the current system. Specifically, this query returns all of the processes which are currently executing. The where clause of the query only returns processes where the original binary used to launch the process no longer exists on the filesystem. This is a common tactic used by malicious actors, so this should not return any results on your system, assuming your system isn’t compromised.
SELECT name, path, pid FROM processes WHERE on_disk = 0;
Interacting with operating system state via SQL is fun and easy. One of the aspects of SQL that makes it so applicable to operating system analytics is the ability to join different tables together. Consider the following example, which uses data from both the “listening_ports” table and the “processes” table. This query finds all processes that are listening on network ports. Then, using the processes table from the last example, we can join the two tables together since they both expose the pid of the processes in question. This allows you to use generic tables to add context as you explore operating system state.
SELECT DISTINCT process.name, listening.port, listening.address, process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid;
There are many tables included with osquery and we’re creating more every day. Tables are easy to write, so we often encourage new contributors to develop a few tables as an introduction to the osquery codebase. For detailed documentation on how to create a table, see the guide on the wiki.
See the usage guide on the wiki. Osquery created by Facebook.
Osquery provides its own repository for all platform installation, and the first step we are going to do is installing the osquery package FROM the official osquery repository.
Install osquery on Linux Server On Ubuntu
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
Add the osquery repository and install the package.
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
sudo apt install osquery -y
Install osquery on Linux Server On On CentOS
Add the osquery key to the system.
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
Add and enable the osquery repository, and install the package.
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm
sudo yum install osquery -y
Wait for all packages to be installed.
Note:
If you get the error about the yum-config-manager command.
sudo: yum-config-manager: command not found
Install the 'yum-utils' package.
yum -y install yum-utils
On Ubuntu
Install the rsyslog package using the apt command below.
sudo apt install rsyslog -y
On CentOS
Install the rsyslog package using the yum command below.
sudo yum install rsyslog -y
After the installation is complete, go to the '/etc/rsyslog.d' directory and create a new configuration file osquery.conf.
cd /etc/rsyslog.d/
vim osquery.conf
Paste the following configuration there.
template(
name="OsqueryCsvFormat"
type="string"
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")
Save and exit.
osquery default configuration is 'osquery.conf', usually located in the '/etc/osquery' directory. There are samples of the osquery configuration '/usr/share/osquery/osquery.conf' and sample of osquery packs configuration.
In this step, we will learn about the osquery configuration components, create the custom osquery configuration, and then deploy the osqueryd as a service.
osquery configuration formatted as a JSON file contains osquery configuration specifications described below.
Go to the '/etc/osquery' directory and create a new custom configuration 'osquery.conf'.
cd /etc/osquery/
vim osquery.conf
Paste the following configurations there.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"log_result_events": "true",
"schedule_splay_percent": "10",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "fb-labs",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
"force": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600"
},
"schedule": {
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"ssh_login": {
"query": "SELECT username, time, host FROM last WHERE type=7",
"interval": 360
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
}
}
Save and exit.
Note:
Now start the osqueryd daemon service and enable it to launch every time at system boot.
systemctl start osqueryd
systemctl enable osqueryd
And restart the rsyslog service.
systemctl restart rsyslog
Basic configuration osquery has been completed.
Osquery provides File Integrity Monitoring on Linux and MacOS Darwin using the inotify and FSEvents. Simply, it monitors and detects any changes of files on the defined directory using the 'file_path'and then store all activity to the file_events table.
In this step, we will configure osquery to monitor important directories such as home, ssh directory, etc, tmp, and the www web root directory using custom FIM packs.
Go to the '/usr/share/osquery/packs' directory and create a new packs configuration file 'fim.conf'.
cd /usr/share/osquery/packs
vim fim.conf
Paste configurations below.
{
"queries": {
"file_events": {
"query": "SELECT * FROM file_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"home": [
"/home/%%"
],
"tmp": [
"/tmp/%%"
],
"www": [
"/var/www/%%"
]
}
}
Save and exit.
Now back to the '/etc/osquery' configuration directory and edit the 'osquery.conf' file.
cd /etc/osquery/
vim osquery.conf
Add the File Integrity Monitoring packs configuration inside the 'packs' section.
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"fim": "/usr/share/osquery/packs/fim.conf"
}
Save and exit, then restart the osqueryd service.
systemctl restart osqueryd
Note:
Keep checking the JSON configuration file using the JSON linter 'http://jsonlint.com/' and make sure there is no error.
We will test the File Integrity Monitoring packs by creating a new file on the defined directory 'home'and 'www'.
Go to the '/var/www/' directory and create a new file named 'howtoforge.md'.
cd /var/www/
touch howtoforge.md
cd /home/vagrant/
touch fb-labs.md
Now we will check all logs monitoring using the real-time interactive mode osqueryi and the logs of the osquery results.
osqueryi
Run the osqueryi command below.
osqueryi --config-path /etc/osquery/osquery.conf
Now check all logs about file changes in the 'file_events' table.
For global changes.
select * from file_events;
For 'home' directory.
select target_path, category, action, atime, ctime, mtime from file_events WHERE category="home";
For the 'www' web root directory.
select target_path, category, action, atime, ctime, mtime from file_events WHERE category="www";
osqueryd results log
Go to the '/var/log/osquery' directory and you will get the 'osqueryd.results.log' file.
cd /var/log/osquery/
ls -lah osqueryd.results.log
Filter the osquery logs using the 'grep' command.
grep -rin howtoforge.md osqueryd.results.log
grep -rin fb-labs.md osqueryd.results.log
You will see info about those file has been created.
The installation and configuration of the File Integrity Monitoring (FIM) on Linux Server Ubuntu and CentOS using osquery has been completed successfully.
Reference
Originally published October 28, 2019
Latest update October 27, 2019
Related posts :