Host-based Intrusion Detection System
This project demonstrates the setup and configuration of a Host-based Intrusion Detection System (HIDS) using OSQuery on Kali Linux. It includes automated query scheduling for real-time monitoring and logging of system activities to detect suspicious behavior. Logs and configurations are optimized to track file integrity, monitor processes, and audit network activity, providing foundational insight into HIDS operations. This project exemplifies the use of open-source tools in a practical cybersecurity scenario, with configurations designed for efficiency and ease of deployment.
- Open Terminal in Kali.
- Run the following commands to install OSQuery:
sudo apt update
sudo apt install osquery -y
- After installation, check if OSQuery is installed by running:
osqueryi --version
Testing OSQuery in interactive shell:
SELECT * FROM os_version;
sudo mkdir -p /etc/osquery
Create osquery.conf
sudo nano /etc/osquery/osquery.conf
Adding configuration into the created file
json
Copy code
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"schedule_splay_percent": 10,
"log_result_events": "true",
"worker_threads": 2
},
"schedule": {
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 60
},
"processes": {
"query": "SELECT * FROM processes WHERE on_disk = 0;",
"interval": 60
}
}
}
Save and close the file (in Nano, press CTRL + X, then Y, and Enter).
Verify the JSON Syntax:
Run
sudo osqueryi --config_path /etc/osquery/osquery.conf --verbose
This command checks for errors in the config file. If you see errors, fix them before moving on.
Looks good from our results
Start OSQuery
sudo osqueryd --config_path /etc/osquery/osquery.conf
To keep OSQuery running in the background, use:
sudo systemctl start osqueryd
Steps to Run a Query in osqueryi
First, ensure that the osqueryd daemon is running. With the following command:
sudo osqueryd --config_path /etc/osquery/osquery.conf
Open osqueryi
osqueryi
Run a Query:
Once you're in the osqueryi shell (you'll see a prompt that looks like osquery>), you can run your query. For example, to check the operating system version, enter:
SELECT * FROM os_version
Check the Results: If the query runs successfully, you’ll see output displaying the results of the os_version table, which provides information about your operating system.
After running your query, you can check the osqueryd.results.log again to see if any entries were added. Use:
sudo cat /var/log/osquery/osqueryd.results.log
Use cat to View Results:
sudo cat /var/log/osquery/osqueryd.results.log
Query Success! We see our logs of trying to see *SELECT* FROM users;
This project allowed me to dive into setting up Osquery as a powerful security monitoring tool, giving me hands-on experience with Linux system administration, log management, and crafting custom queries. By configuring Osquery to track essential system information, I demonstrated my ability to use open-source tools for security data collection and analysis.
Through my custom queries, like monitoring user activity, I showcased how I can adapt tools to meet specific security requirements. Although I included sample log data for illustration, I understand what actual log outputs look like and how to interpret them in real-world situations. This project also highlights my troubleshooting skills and confidence in working with command-line tools to meet security goals.
Overall, this experience strengthens my foundation in security monitoring and gives me a solid basis for integrating more advanced and scalable solutions.