October 28, 2019 ( last updated : October 27, 2019 )
File Integrity Monitoring (FIM) File Integrity Monitoring osquery

https://github.com/gridgentoo/osquery

Abstract

Osquery created by Facebook. Osquery is an open source operating system instrumentation, monitoring, and analytics. Created by Facebook, it exposes an operating system as a high-performance relational database that can be queried using SQL-based queries.

Maintaining real-time insight into the current state of your infrastructure is important. At Facebook, we’ve been working on a framework called osquery which attempts to approach the concept of low-level operating system monitoring a little differently.

Introducing osquery. Osquery created by Facebook.

Osquery exposes an operating system as a high-performance relational database. This design allows you to write SQL-based queries efficiently and easily to explore operating systems. With osquery, SQL tables represent the current state of operating system attributes, such as:

• running processes
• loaded kernel modules
• open network connections

SQL tables are implemented via an easily extendable API. Several tables already exist and more are being written. To best understand the expressiveness that is afforded to you by osquery, consider the following examples.

Example queries

This first example illustrates how you might use osquery to interact with the processes that are running on the current system. Specifically, this query returns all of the processes which are currently executing. The where clause of the query only returns processes where the original binary used to launch the process no longer exists on the filesystem. This is a common tactic used by malicious actors, so this should not return any results on your system, assuming your system isn’t compromised.

SELECT name, path, pid FROM processes WHERE on_disk = 0;

Interacting with operating system state via SQL is fun and easy. One of the aspects of SQL that makes it so applicable to operating system analytics is the ability to join different tables together. Consider the following example, which uses data from both the “listening_ports” table and the “processes” table. This query finds all processes that are listening on network ports. Then, using the processes table from the last example, we can join the two tables together since they both expose the pid of the processes in question. This allows you to use generic tables to add context as you explore operating system state.

SELECT DISTINCT process.name, listening.port, listening.address, process.pid 
      FROM processes AS process 
      JOIN listening_ports AS listening 
          ON process.pid = listening.pid;

There are many tables included with osquery and we’re creating more every day. Tables are easy to write, so we often encourage new contributors to develop a few tables as an introduction to the osquery codebase. For detailed documentation on how to create a table, see the guide on the wiki.

See the usage guide on the wiki. Osquery created by Facebook.

Prerequisites

• Linux (Ubuntu or CentOS)
• Root privileges
• Completed first osquery guide

What we will do

• Install osquery on Linux Server
• Enable Syslog Consumption for osquery
• Basic osquery Configuration
• Configure File Integrity Monitoring osquery
• Testing

Install osquery on Linux Server

Osquery provides its own repository for all platform installation, and the first step we are going to do is installing the osquery package FROM the official osquery repository.

Install osquery on Linux Server On Ubuntu

export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY

Add the osquery repository and install the package.

sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
sudo apt install osquery -y

Install osquery on Linux Server On On CentOS

Add the osquery key to the system.

curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery

Add and enable the osquery repository, and install the package.

sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm
sudo yum install osquery -y

Wait for all packages to be installed.

Note:

If you get the error about the yum-config-manager command.

sudo: yum-config-manager: command not found

Install the 'yum-utils' package.

yum -y install yum-utils

Enable Syslog Consumption in osquery

On Ubuntu

Install the rsyslog package using the apt command below.

sudo apt install rsyslog -y

On CentOS

Install the rsyslog package using the yum command below.

sudo yum install rsyslog -y

After the installation is complete, go to the '/etc/rsyslog.d' directory and create a new configuration file osquery.conf.

cd /etc/rsyslog.d/
vim osquery.conf

Paste the following configuration there.

template(
  name="OsqueryCsvFormat"
  type="string"
  string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

Save and exit.

Basic Configuration osquery

osquery default configuration is 'osquery.conf', usually located in the '/etc/osquery' directory. There are samples of the osquery configuration '/usr/share/osquery/osquery.conf' and sample of osquery packs configuration.

In this step, we will learn about the osquery configuration components, create the custom osquery configuration, and then deploy the osqueryd as a service.

osquery configuration formatted as a JSON file contains osquery configuration specifications described below.

• Options: part of the osqueryd CLI command and it determines the apps start and initialization.
• Schedule: Define flow of the scheduled query names to the query details.
• Decorators: Used to add additional "decorations" to results and snapshot logs.
• Packs: a group of the schedule queries.
• More: File Path, YARA, Prometheus, Views, EC2, Chef Configuration.

Go to the '/etc/osquery' directory and create a new custom configuration 'osquery.conf'.

cd /etc/osquery/
vim osquery.conf

Paste the following configurations there.

{
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "logger_path": "/var/log/osquery",
        "disable_logging": "false",
        "log_result_events": "true",
        "schedule_splay_percent": "10",
        "pidfile": "/var/osquery/osquery.pidfile",
        "events_expiry": "3600",
        "database_path": "/var/osquery/osquery.db",
        "verbose": "false",
        "worker_threads": "2",
        "enable_monitor": "true",
        "disable_events": "false",
        "disable_audit": "false",
        "audit_allow_config": "true",
        "host_identifier": "fb-labs",
        "enable_syslog": "true",
        "syslog_pipe_path": "/var/osquery/syslog_pipe",
        "force": "true",
        "audit_allow_sockets": "true",
        "schedule_default_interval": "3600"
    },


    "schedule": {
        "crontab": {
            "query": "SELECT * FROM crontab;",
            "interval": 300
        },
        "system_info": {
            "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
            "interval": 3600
        },
        "ssh_login": {
            "query": "SELECT username, time, host FROM last WHERE type=7",
            "interval": 360
        }
    },

    "decorators": {
        "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
        ]
    },

    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
    }
}

Save and exit.

Note:

• We're using the 'filesystem' as a config and logger plugins.
• Define the logger path to the '/var/log/osquery' directory.
• Enable the syslog pip to the '/var/syslog/syslog_pipe' file.
• On the scheduler, we define three queries for checking the crontab, system info, and ssh login.
• Enable the osquery packs named 'osquery-monitoring', and packs files located at the '/usr/share/osquery/packs' directory.

Now start the osqueryd daemon service and enable it to launch every time at system boot.

systemctl start osqueryd
systemctl enable osqueryd

And restart the rsyslog service.

systemctl restart rsyslog

Basic configuration osquery has been completed.

Configure File Integrity Monitoring (FIM) Using osquery

Osquery provides File Integrity Monitoring on Linux and MacOS Darwin using the inotify and FSEvents. Simply, it monitors and detects any changes of files on the defined directory using the 'file_path'and then store all activity to the file_events table.

In this step, we will configure osquery to monitor important directories such as home, ssh directory, etc, tmp, and the www web root directory using custom FIM packs.

Go to the '/usr/share/osquery/packs' directory and create a new packs configuration file 'fim.conf'.

cd /usr/share/osquery/packs
vim fim.conf

Paste configurations below.

{
  "queries": {
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "homes": [
      "/root/.ssh/%%",
      "/home/%/.ssh/%%"
    ],
      "etc": [
      "/etc/%%"
    ],
      "home": [
      "/home/%%"
    ],
      "tmp": [
      "/tmp/%%"
    ],
      "www": [
      "/var/www/%%"
      ]
  }
}

Save and exit.

Now back to the '/etc/osquery' configuration directory and edit the 'osquery.conf' file.

cd /etc/osquery/
vim osquery.conf

Add the File Integrity Monitoring packs configuration inside the 'packs' section.

    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
        "fim": "/usr/share/osquery/packs/fim.conf"
    }

Save and exit, then restart the osqueryd service.

 systemctl restart osqueryd 

Note:

Keep checking the JSON configuration file using the JSON linter 'http://jsonlint.com/' and make sure there is no error.

Testing

We will test the File Integrity Monitoring packs by creating a new file on the defined directory 'home'and 'www'.

Go to the '/var/www/' directory and create a new file named 'howtoforge.md'.

cd /var/www/
touch howtoforge.md

cd /home/vagrant/
touch fb-labs.md

Now we will check all logs monitoring using the real-time interactive mode osqueryi and the logs of the osquery results.

osqueryi

Run the osqueryi command below.

osqueryi --config-path /etc/osquery/osquery.conf

Now check all logs about file changes in the 'file_events' table.

For global changes.

select * from file_events;

For 'home' directory.

select target_path, category, action, atime, ctime, mtime from file_events WHERE category="home";

For the 'www' web root directory.

select target_path, category, action, atime, ctime, mtime from file_events WHERE category="www";

osqueryd results log

Go to the '/var/log/osquery' directory and you will get the 'osqueryd.results.log' file.

cd /var/log/osquery/
ls -lah osqueryd.results.log

Filter the osquery logs using the 'grep' command.

grep -rin howtoforge.md osqueryd.results.log
grep -rin fb-labs.md osqueryd.results.log

You will see info about those file has been created.

The installation and configuration of the File Integrity Monitoring (FIM) on Linux Server Ubuntu and CentOS using osquery has been completed successfully.

Reference

• File Integrity Monitoring(File Integrity Monitoring)

Originally published October 28, 2019
Latest update October 27, 2019

Related posts :