Skip to content

Configuring Osquery with Security Onion

Mike Reeves edited this page May 6, 2019 · 19 revisions

Osquery Deployment

Open the firewall on the master to allow endpoints to connect. This is automatically done for all parts of the SO architecture so this is for your endpoints.

sudo /opt/so/saltstack/pillar/firewall/ osquery_endpoint

Now we need to run the fleet setup so the packages get auto generated and the initial fleet setup can complete:

sudo sh /opt/so/conf/fleet/ <MASTER DNS NAME>

The DNS name is important! The setup script will embed it into the osquery packages. Once this script is finished, you can login to fleet with the information provided, as well as navigate to the osquery packages webpage (https://MASTER/packages/) to download the packages. By default, the packages are set to autoupdate, but that option is builtin and can be easily disabled.

Osquery data in Kibana

All osquery logs can be found by using the following query: event_type: osquery

Dashboard: Osquery - Overview

This dashboard gives an overview of the osquery logs. It should work out of the box no matter how you schedule or name your queries & packs as long as the osquery configuration (from the prereq) is used.

Dashboard: Osquery - Chrome Extensions

This dashboard gives an idea of how to visualize osquery data - in this example, Chrome Extensions. This dashboard is not linked on the navigation page but can be found at https://MASTERSERVER/kibana/blah . For this dashboard to work the following query should be scheduled (it's a bit longer because it filters out common benign Chrome extensions). Also, the query name should include the word chrome somewhere in it.

SELECT users.username,chrome_extensions.*,chrome_extensions.path FROM users CROSS JOIN chrome_extensions USING (uid) where identifier not in ('aapocclcgogkmnckokdopfmhonfmgoek','aohghmighlieiainnegkcijnfilokake', 'apdfllckaahabafndbhieahigkjlhalf','felcaaldnbdncclmgdcncolpebgiejap','pjkljhegncpnkpknbcohdijeoejaedia','pkedcjkdefgpdelpbcmbmeomcjbeemfm','blpcfgokakmgnkcojhhkbfbldkacnbeo','ghbmnnjooekpmoecnnnilnnbdlolhkhi','nmmhkkegccagdldgiimedpiccmgmieda');

You can’t perform that action at this time.