Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSQuery 简介 #2

Open
fengyfei opened this issue May 12, 2018 · 0 comments
Open

OSQuery 简介 #2

fengyfei opened this issue May 12, 2018 · 0 comments
Assignees
@fengyfei
Labels
Tools Tools

Comments

@fengyfei
Copy link
Owner

OSQuery

基本使用

  • launchd
select count(*) from launched;
  • system_info
osquery> select * from system_info;
+------------------+--------------------------------------+----------+-----------------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------+----------------+------------------+-----------------+---------------+----------------+
| hostname         | uuid                                 | cpu_type | cpu_subtype           | cpu_brand                                | cpu_physical_cores | cpu_logical_cores | physical_memory | hardware_vendor | hardware_model | hardware_version | hardware_serial | computer_name | local_hostname |
+------------------+--------------------------------------+----------+-----------------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------+----------------+------------------+-----------------+---------------+----------------+
| fengyfei-2.local | 219B0B00-2B63-5A6C-B64A-78CC06CDF7C0 | x86_64h  | Intel x86-64h Haswell | Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz | 2                  | 4                 | 8589934592      | Apple Inc.      | MacBookAir7,2  | 1.0              | C1MRTF6RH3QF    | fengyfei      | fengyfei-2     |
+------------------+--------------------------------------+----------+-----------------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------+----------------+------------------+-----------------+---------------+----------------+
  • containers
osquery> select * from docker_containers;
+------------------------------------------------------------------+--------+-------+------------------------------------------------------------------+------------------------+------------+---------+-------------+
| id                                                               | name   | image | image_id                                                         | command                | created    | state   | status      |
+------------------------------------------------------------------+--------+-------+------------------------------------------------------------------+------------------------+------------+---------+-------------+
| 24db3eebc885fb421b94f51e342a4c495490985724725e4003a7a909e10ca84f | /nginx | nginx | 40960efd7b8f44ed5cafee61c189a8f4db39838848d41861898f56c29565266e | nginx -g 'daemon off;' | 1509944481 | running | Up 23 hours |
+------------------------------------------------------------------+--------+-------+------------------------------------------------------------------+------------------------+------------+---------+-------------+
  • homebrew
osquery> SELECT * FROM homebrew_packages;
+-------------------+--------------------------------------+----------------+
| name              | path                                 | version        |
+-------------------+--------------------------------------+----------------+
| adns              | /usr/local/Cellar/adns/              | 1.5.1          |
| aircrack-ng       | /usr/local/Cellar/aircrack-ng/       | 1.1_2          |
| asio              | /usr/local/Cellar/asio/              | 1.10.8_1       |
| augeas            | /usr/local/Cellar/augeas/            | 1.8.1          |
| autoconf          | /usr/local/Cellar/autoconf/          | 2.69           |
| automake          | /usr/local/Cellar/automake/          | 1.15.1         |
| axel              | /usr/local/Cellar/axel/              | 2.12           |
| boost             | /usr/local/Cellar/boost/             | 1.65.0         |
| cdrtools          | /usr/local/Cellar/cdrtools/          | 3.01_1         |
| cloc              | /usr/local/Cellar/cloc/              | 1.72           |
| cmake             | /usr/local/Cellar/cmake/             | 3.7.2          |
| cmake             | /usr/local/Cellar/cmake/             | 3.8.1          |
| cockroach         | /usr/local/Cellar/cockroach/         | 1.0            |
| cockroach         | /usr/local/Cellar/cockroach/         | 20161013       |
| dart              | /usr/local/Cellar/dart/              | 1.24.2         |
| delve             | /usr/local/Cellar/delve/             | 0.12.2         |
| delve             | /usr/local/Cellar/delve/             | 1.0.0-rc.1     |
| eigen             | /usr/local/Cellar/eigen/             | 3.3.4          |
| erlang            | /usr/local/Cellar/erlang/            | 20.0           |
| ffmpeg            | /usr/local/Cellar/ffmpeg/            | 3.2.4          |
| ffmpeg            | /usr/local/Cellar/ffmpeg/            | 3.3.4          |
| fontconfig        | /usr/local/Cellar/fontconfig/        | 2.12.1_2       |
| fpp               | /usr/local/Cellar/fpp/               | 0.7.2          |
| freetype          | /usr/local/Cellar/freetype/          | 2.7.1          |
| freetype          | /usr/local/Cellar/freetype/          | 2.8            |
| gd                | /usr/local/Cellar/gd/                | 2.2.4_1        |
| gdbm              | /usr/local/Cellar/gdbm/              | 1.12           |
| gdbm              | /usr/local/Cellar/gdbm/              | 1.13           |
| gettext           | /usr/local/Cellar/gettext/           | 0.19.8.1       |
| gflags            | /usr/local/Cellar/gflags/            | 2.2.1          |
| glide             | /usr/local/Cellar/glide/             | 0.12.3         |
| glog              | /usr/local/Cellar/glog/              | 0.3.5_1        |
| gmp               | /usr/local/Cellar/gmp/               | 6.1.2          |
| gnupg             | /usr/local/Cellar/gnupg/             | 2.1.21         |
| gnutls            | /usr/local/Cellar/gnutls/            | 3.5.12_2       |
| go                | /usr/local/Cellar/go/                | 1.8.1          |
| go                | /usr/local/Cellar/go/                | 1.8.3          |
| go                | /usr/local/Cellar/go/                | 1.9.1          |
| go                | /usr/local/Cellar/go/                | 1.9.2          |
| go                | /usr/local/Cellar/go/                | 1.9            |
| graphviz          | /usr/local/Cellar/graphviz/          | 2.40.1         |
| htop              | /usr/local/Cellar/htop/              | 2.0.2          |
| hugo              | /usr/local/Cellar/hugo/              | 0.17           |
| ideviceinstaller  | /usr/local/Cellar/ideviceinstaller/  | 1.1.0_3        |
| ilmbase           | /usr/local/Cellar/ilmbase/           | 2.2.0          |
| ios-deploy        | /usr/local/Cellar/ios-deploy/        | 1.9.2          |
| iproute2mac       | /usr/local/Cellar/iproute2mac/       | 1.1.1          |
| jemalloc          | /usr/local/Cellar/jemalloc/          | 5.0.1          |
| jpeg              | /usr/local/Cellar/jpeg/              | 8d             |
| jpeg              | /usr/local/Cellar/jpeg/              | 9b             |
| lame              | /usr/local/Cellar/lame/              | 3.99.5         |
| libarchive        | /usr/local/Cellar/libarchive/        | 3.3.2          |
| libassuan         | /usr/local/Cellar/libassuan/         | 2.4.3_1        |
| libevent          | /usr/local/Cellar/libevent/          | 2.1.8          |
| libffi            | /usr/local/Cellar/libffi/            | 3.0.13         |
| libffi            | /usr/local/Cellar/libffi/            | 3.2.1          |
| libgcrypt         | /usr/local/Cellar/libgcrypt/         | 1.7.7          |
| libgpg-error      | /usr/local/Cellar/libgpg-error/      | 1.27           |
| libimobiledevice  | /usr/local/Cellar/libimobiledevice/  | 1.2.0_2        |
| libimobiledevice  | /usr/local/Cellar/libimobiledevice/  | HEAD-0dbe76b_2 |
| libksba           | /usr/local/Cellar/libksba/           | 1.3.5          |
| libmagic          | /usr/local/Cellar/libmagic/          | 5.31           |
| libplist          | /usr/local/Cellar/libplist/          | 2.0.0          |
| libpng            | /usr/local/Cellar/libpng/            | 1.6.29         |
| libpng            | /usr/local/Cellar/libpng/            | 1.6.32         |
| libtasn1          | /usr/local/Cellar/libtasn1/          | 4.12           |
| libtiff           | /usr/local/Cellar/libtiff/           | 4.0.7_3        |
| libtiff           | /usr/local/Cellar/libtiff/           | 4.0.8          |
| libtiff           | /usr/local/Cellar/libtiff/           | 4.0.8_4        |
| libtool           | /usr/local/Cellar/libtool/           | 2.4.6_1        |
| libunistring      | /usr/local/Cellar/libunistring/      | 0.9.7          |
| libusb            | /usr/local/Cellar/libusb/            | 1.0.21         |
| libxml2           | /usr/local/Cellar/libxml2/           | 2.9.4_3        |
| libzip            | /usr/local/Cellar/libzip/            | 1.2.0          |
| lldpd             | /usr/local/Cellar/lldpd/             | 0.9.7          |
| lz4               | /usr/local/Cellar/lz4/               | 1.8.0          |
| md5sha1sum        | /usr/local/Cellar/md5sha1sum/        | 0.9.5          |
| mercurial         | /usr/local/Cellar/mercurial/         | 4.2.1          |
| mobile-shell      | /usr/local/Cellar/mobile-shell/      | 1.3.0_1        |
| mongodb           | /usr/local/Cellar/mongodb/           | 3.2.9          |
| mosh              | /usr/local/Cellar/mosh/              | 1.3.0_1        |
| nettle            | /usr/local/Cellar/nettle/            | 3.3            |
| nginx-full        | /usr/local/Cellar/nginx-full/        | 1.10.3         |
| nginx             | /usr/local/Cellar/nginx/             | 1.10.1         |
| nginx             | /usr/local/Cellar/nginx/             | 1.10.3         |
| npth              | /usr/local/Cellar/npth/              | 1.5            |
| numpy             | /usr/local/Cellar/numpy/             | 1.13.3         |
| opencv            | /usr/local/Cellar/opencv/            | 3.3.0_3        |
| openexr           | /usr/local/Cellar/openexr/           | 2.2.0          |
| openssl           | /usr/local/Cellar/openssl/           | 1.0.2h_1       |
| openssl           | /usr/local/Cellar/openssl/           | 1.0.2j         |
| openssl           | /usr/local/Cellar/openssl/           | 1.0.2k         |
| openssl           | /usr/local/Cellar/openssl/           | 1.0.2l         |
| openssl@1.1       | /usr/local/Cellar/openssl@1.1/       | 1.1.0e         |
| osquery           | /usr/local/Cellar/osquery/           | 2.7.0_1        |
| p11-kit           | /usr/local/Cellar/p11-kit/           | 0.23.7         |
| pcre              | /usr/local/Cellar/pcre/              | 8.39           |
| pcre              | /usr/local/Cellar/pcre/              | 8.40           |
| peco              | /usr/local/Cellar/peco/              | 0.4.7          |
| pinentry          | /usr/local/Cellar/pinentry/          | 1.0.0          |
| pkg-config        | /usr/local/Cellar/pkg-config/        | 0.29.1_2       |
| pkg-config        | /usr/local/Cellar/pkg-config/        | 0.29.2         |
| portaudio         | /usr/local/Cellar/portaudio/         | 19.6.0         |
| protobuf          | /usr/local/Cellar/protobuf/          | 3.3.0          |
| pwgen             | /usr/local/Cellar/pwgen/             | 2.07           |
| python            | /usr/local/Cellar/python/            | 2.7.12_2       |
| python            | /usr/local/Cellar/python/            | 2.7.13         |
| python            | /usr/local/Cellar/python/            | 2.7.14         |
| python3           | /usr/local/Cellar/python3/           | 3.6.2          |
| python3           | /usr/local/Cellar/python3/           | 3.6.3          |
| rapidjson         | /usr/local/Cellar/rapidjson/         | 1.1.0          |
| readline          | /usr/local/Cellar/readline/          | 7.0.1          |
| readline          | /usr/local/Cellar/readline/          | 7.0.3_1        |
| redis             | /usr/local/Cellar/redis/             | 3.2.3          |
| rocksdb           | /usr/local/Cellar/rocksdb/           | 5.7.2          |
| rtmp-nginx-module | /usr/local/Cellar/rtmp-nginx-module/ | 1.1.7.10       |
| sdl2              | /usr/local/Cellar/sdl2/              | 2.0.5          |
| sdl2_image        | /usr/local/Cellar/sdl2_image/        | 2.0.1_2        |
| sdl2_mixer        | /usr/local/Cellar/sdl2_mixer/        | 2.0.1          |
| sdl2_ttf          | /usr/local/Cellar/sdl2_ttf/          | 2.0.14         |
| sleuthkit         | /usr/local/Cellar/sleuthkit/         | 4.4.2          |
| snappy            | /usr/local/Cellar/snappy/            | 1.1.7          |
| sqlite            | /usr/local/Cellar/sqlite/            | 3.15.2         |
| sqlite            | /usr/local/Cellar/sqlite/            | 3.19.3         |
| sqlite            | /usr/local/Cellar/sqlite/            | 3.20.1         |
| tile38            | /usr/local/Cellar/tile38/            | 1.9.0          |
| tmux              | /usr/local/Cellar/tmux/              | 2.4            |
| usbmuxd           | /usr/local/Cellar/usbmuxd/           | 1.0.10_1       |
| vegeta            | /usr/local/Cellar/vegeta/            | 6.3.0          |
| watchman          | /usr/local/Cellar/watchman/          | 4.7.0          |
| webp              | /usr/local/Cellar/webp/              | 0.6.0          |
| wget              | /usr/local/Cellar/wget/              | 1.18           |
| wxmac             | /usr/local/Cellar/wxmac/             | 3.0.2_4        |
| x264              | /usr/local/Cellar/x264/              | r2748          |
| x264              | /usr/local/Cellar/x264/              | r2795          |
| xvid              | /usr/local/Cellar/xvid/              | 1.3.4          |
| xz                | /usr/local/Cellar/xz/                | 5.2.3          |
| yara              | /usr/local/Cellar/yara/              | 3.6.3          |
| yarn              | /usr/local/Cellar/yarn/              | 1.1.0          |
| you-get           | /usr/local/Cellar/you-get/           | 0.4.939        |
| zstd              | /usr/local/Cellar/zstd/              | 1.3.1          |
+-------------------+--------------------------------------+----------------+
  • .tables
osquery> .tables
  => acpi_tables
  => ad_config
  => alf
  => alf_exceptions
  => alf_explicit_auths
  => alf_services
  => app_schemes
  => apps
  => arp_cache
  => asl
  => augeas
  => authorization_mechanisms
  => authorizations
  => authorized_keys
  => block_devices
  => browser_plugins
  => carbon_black_info
  => carves
  => certificates
  => chrome_extensions
  => cpu_time
  => cpuid
  => crashes
  => crontab
  => device_file
  => device_firmware
  => device_hash
  => device_partitions
  => disk_encryption
  => disk_events
  => dns_resolvers
  => docker_container_labels
  => docker_container_mounts
  => docker_container_networks
  => docker_container_ports
  => docker_container_processes
  => docker_container_stats
  => docker_containers
  => docker_image_labels
  => docker_images
  => docker_info
  => docker_network_labels
  => docker_networks
  => docker_version
  => docker_volume_labels
  => docker_volumes
  => etc_hosts
  => etc_protocols
  => etc_services
  => event_taps
  => extended_attributes
  => fan_speed_sensors
  => file
  => file_events
  => firefox_addons
  => gatekeeper
  => gatekeeper_approved_apps
  => groups
  => hardware_events
  => hash
  => homebrew_packages
  => interface_addresses
  => interface_details
  => iokit_devicetree
  => iokit_registry
  => kernel_extensions
  => kernel_info
  => kernel_panics
  => keychain_acls
  => keychain_items
  => known_hosts
  => last
  => launchd
  => launchd_overrides
  => listening_ports
  => lldp_neighbors
  => load_average
  => logged_in_users
  => magic
  => managed_policies
  => mounts
  => nfs_shares
  => nvram
  => opera_extensions
  => os_version
  => osquery_events
  => osquery_extensions
  => osquery_flags
  => osquery_info
  => osquery_packs
  => osquery_registry
  => osquery_schedule
  => package_bom
  => package_install_history
  => package_receipts
  => pci_devices
  => platform_info
  => plist
  => power_sensors
  => preferences
  => process_envs
  => process_events
  => process_file_events
  => process_memory_map
  => process_open_files
  => process_open_sockets
  => processes
  => prometheus_metrics
  => python_packages
  => quicklook_cache
  => routes
  => safari_extensions
  => sandboxes
  => shared_folders
  => sharing_preferences
  => shell_history
  => signature
  => sip_config
  => smbios_tables
  => smc_keys
  => startup_items
  => sudoers
  => suid_bin
  => system_controls
  => system_info
  => temperature_sensors
  => time
  => time_machine_backups
  => time_machine_destinations
  => uptime
  => usb_devices
  => user_events
  => user_groups
  => user_ssh_keys
  => users
  => virtual_memory_info
  => wifi_networks
  => wifi_status
  => wifi_survey
  => xprotect_entries
  => xprotect_meta
  => xprotect_reports
  => yara
  => yara_events
  • .schema
osquery> .schema os_version
CREATE TABLE os_version(`name` TEXT, `version` TEXT, `major` INTEGER, `minor` INTEGER, `patch` INTEGER, `build` TEXT, `platform` TEXT, `platform_like` TEXT, `codename` TEXT);

参考资料
@fengyfei fengyfei added the Tools Tools label May 12, 2018
@fengyfei fengyfei self-assigned this May 12, 2018
Repository owner locked and limited conversation to collaborators May 12, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fengyfei fengyfei

Labels
Tools Tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fengyfei