Skip to content

devborz/osquery_history_extension

BranchesTags

Repository files navigation

Build Status

Osquery History Extension

This extension allows the user to view the history of their actions on a computer (Linux OS)

Functions

  • Providing the user with Bash command line history
  • Providing the user with a list of modified files
  • Providing the user with Vim history (command history and file opening history)

User Guide

$ osquery> select * from bash_history; # outputs bash history

$ osquery> select * from filesystem_history; # outputs recently changed files

$ osquery> select * from vim_commandline_history; # outputs vim cmd history

$ osquery> select * from vim_filemarks_history; # outputs vim filemarks history

_build/extension options

$ _build/extension --help

Options:
  --help                outputs help message
  --filesystem          updates filesystem's history
  --bash                updates bash history's file
  --vim                 updates vim history's files
  --all                 updates all history's files

Downoloading

$ git clone https://github.com/devborz/osquery_history_extension
$ cd osquery_history_extension

Configuring

$ chmod +x config/config.sh # configs ~/.profile to save bash history 
$ ./config/config.sh # with time and path of command

Building and data updating

Alt Text

$ cmake -H. -B_build
$ cmake --build _build
$ _build/extension --all

Osquery integration

Alt Text

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery>
$ #in second shell window:
$ python sources/extension.py --socket /home/${USERNAME}/.osquery/shell.em
$ #and going back to first shell window:

Using extension

Getting Bash history

$ osquery> select * from bash_history;
+------------+-------------------+---------+
| Time       | Execute directory | Command |
+------------+-------------------+---------+
|    ...     |         ...       |   ...   |

Getting file change history

$ osquery> select * from filesystem_history;
+----------------+------------+----------+
| Time           | Path       | Filename |
+----------------+------------+----------+
|       ...      |      ...   |    ...   |

Getting Vim history

Alt Text

Vim command line history
$ osquery> select * from vim_commandline_history;
+-------------+---------+
| Time        | Command |
+-------------+---------+
|   ...       |   ...   |
Vim session history
$ osquery> select * from vim_filemarks_history;
+---------+-------------+----------+--------------+-----------------+
| Time    | File's path | Filename | Position row | Position column |
+---------+-------------+----------+--------------+-----------------+
|   ...   |      ...    |   ...    |     ...      |       ...       |

Download required packages

$ pip install osquery

Tasks

  • Set program_options
  • Implement bash history option
  • Implement file change history option
  • Implement sorting by date
  • Implement data storage in json format
  • Integrate into osquery as an extension
  • Add vim history option

About

Osquery extension for user action history

Topics

history osquery osquery-extension

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages