lotte/ChamplainTechJournals
1
Code Activity

migrate to git.charlotte.sh

Browse source
This commit is contained in:
Charlotte Croce 2025-04-19 23:42:08 -04:00
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

27
net-sec-controls-sec350/osquery_project/01_research.md Normal file
View file

@ -0,0 +1,27 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
# Research
Osquery is an open-source OS instrumentation framework that uses SQL-like syntax to query the OS as if it were a relational database. It was created by Facebook(Meta) in 2014.
## Features
- **Cross-platform**: macOS, Linux, FreeBSD, and Windows
- **Data collection**: running processes, user logins, kernel modules, network connections, browser plugins, hardware events, file hashes, and more
- **SQL-based queries**: Users can write SQL queries to explore data across all operating systems and infrastructure
- **Query packs**: Pre-built collections of queries for specific tasks like incident response, vulnerability management, or compliance monitoring
## Components
1. [**Osqueryi**](03_client_app.md): An interactive console shell for running ad-hoc queries and exploring the system
2. [**Osqueryd**](02_install_rocky.md): A daemon that schedules queries and monitors system changes
> [!Warning]
> Osquery generates approximately 110MB of data per endpoint per day. This requires careful consideration of storage and management, especially for large-scale deployments.
Sources:
- https://www.uptycs.com/blog/threat-research-report-team/osquery-guide
- https://rearc.io/blog/osquery-introduction
- https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/
___
|[<<<<](README.md)|[>>>>](02_install_rocky.md)|
|-|-|

54
net-sec-controls-sec350/osquery_project/02_install_rocky.md Normal file
View file

@ -0,0 +1,54 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
# Install osquery on Rocky Linux (web01)
## Installation
### DMZ-to-WAN temporary firewall rule
Add a temporary rule for software updates that we either delete, disable or discard when complete
```bash
set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3
```
### Install via yum repository
- (current version: 15.5.0) -- [source](https://osquery.io/downloads/official/5.15.0)
```bash
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum install yum-utils -y
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm-repo
sudo yum install osquery -y
```
## Configuration
> [!Warning]
> Linux systems running journald will collect logging data originating from the kernel audit subsystem (something that osquery enables) from several sources, including audit records. To avoid performance problems on busy boxes (specially when osquery event tables are enabled), it is recommended to mask audit logs from entering the journal with the following command
> ```bash
> systemctl mask --now systemd-journald-audit.socket
> ```
> -- [source](https://osquery.readthedocs.io/en/latest/installation/install-linux/)
The `/etc/init.d/osqueryd` script does not automatically start the daemon until a configuration file is created. This is the command to copy the existing example config file into your working config files directory, this file may need further configuration.
```bash
sudo cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
```
## Running osquery
### Standalone/Client App (osqueryi)
To start a standalone osquery use: `osqueryi`. This does not need an osquery server or service. [osqueryi page](03_client_app.md)
### Daemon Service (osqueryd)
```bash
sudo systemctl enable osqueryd
sudo systemctl start osqueryd
```
> [!Note]
> The interactive shell and daemon do NOT communicate!
___
Source: https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/osquery.html
|[<<<<](01_research.md)|[>>>>](03_client_app.md)|
|-|-|

59
net-sec-controls-sec350/osquery_project/03_client_app.md Normal file
View file

@ -0,0 +1,59 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
# osquery Client Application (osqueryi)
`osqueryi` is an interactive shell for osquery that uses SQL-like queries to gather system information. It allows you to query various aspects of an operating system as if they were tables in a database.
## Common queries:
Inspect system processes:
```sql
osquery> SELECT name, path, pid FROM processes WHERE name = 'httpd';
+-------+-----------------+-------+
| name | path | pid |
+-------+-----------------+-------+
| httpd | /usr/sbin/httpd | 82243 |
| httpd | /usr/sbin/httpd | 86173 |
| httpd | /usr/sbin/httpd | 86174 |
| httpd | /usr/sbin/httpd | 86175 |
| httpd | /usr/sbin/httpd | 86176 |
+-------+-----------------+-------+
```
List installed packages:
```sql
osquery> SELECT name, version FROM rpm_packages;
+-------------------------------+------------+
| name | version |
+-------------------------------+------------+
| NetworkManager | 1.36.0 |
| NetworkManager-config-server | 1.36.0 |
| NetworkManager-libnm | 1.36.0 |
| NetworkManager-team | 1.36.0 |
| NetworkManager-tui | 1.36.0 |
| acl | 2.2.53 |
| adcli | 0.8.2 |
| alsa-sof-firmware | 1.9.3 |
| apr | 1.6.3 |
| apr-util | 1.6.1 |
...
```
Check listening network ports:
```sql
osquery> SELECT pid, address, port FROM listening_ports;
+-------+-----------+-------+
| pid | address | port |
+-------+-----------+-------+
| 1101 | 0.0.0.0 | 22 |
| 86176 | :: | 80 |
| 1101 | :: | 22 |
| 34468 | 0.0.0.0 | 51361 |
| 942 | 127.0.0.1 | 323 |
| 942 | ::1 | 323 |
| 1068 | :: | 58 |
| 924 | | 0 |
| 924 | | 0 |
...
```
___
|[<<<<](02_install_rocky.md)|[>>>>](04_wazuh_integration.md)|
|-|-|

107
net-sec-controls-sec350/osquery_project/04_wazuh_integration.md Normal file
View file

@ -0,0 +1,107 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
# Wazuh Integration
## Requirements
- Wazuh manager installed and configured on the wazuh server
- Wazuh agent installed and connected on WEB01
- osquery already installed on WEB01 ([installation guide](02_install_rocky.md))
- root privileges
## Configure osquery on web01
### on WEB01
- create osquery configuration file. if already created with defaults, edit it
```json
> sudo nano /etc/osquery/osquery.conf
{
"options": {
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"schedule_splay_percent": "10",
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 300
},
"processes": {
"query": "SELECT pid, name, path, cmdline FROM processes;",
"interval": 300
},
"logged_in_users": {
"query": "SELECT user, host, time FROM logged_in_users;",
"interval": 300
},
"firewall_status": {
"query": "SELECT * FROM shell WHERE command = 'firewall-cmd --state';",
"interval": 300
}
},
...
```
- create log directories with correct permissions for storing osquery results
```bash
sudo mkdir -p /var/log/osquery
sudo chown -R root:root /var/log/osquery
sudo chmod -R 755 /var/log/osquery
```
- restart osqueryd
```bash
sudo systemctl restart osqueryd
sudo systemctl status osqueryd
```
## Configure WEB01 -> Wazuh integration
### On WEB01
- configure Wazuh agent to monitor osquery logs
```xml
> sudo nano /var/ossec/etc/ossec.conf
# Add these blocks inside the <ossec_config> section
# make sure this wodle is NOT disabled, as this service is disabled by default
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<localfile>
<log_format>json</log_format>
<location>/var/log/osquery/osqueryd.results.log</location>
</localfile>
```
- restart wazuh agent
```bash
sudo systemctl restart wazuh-agent
sudo systemctl status wazuh-agent
```
## Validation
### on WEB01
- Run a manual query to generate an immediate log entry
```
sudo osqueryi --json "SELECT * FROM processes LIMIT 5;" > /var/log/osquery/osqueryd.results.log
```
- Check if Wazuh detected it
```
sudo tail -f /var/ossec/logs/ossec.log
```
### on Wazuh Server
- Go to Modules Menu -> Security Events -> Events
- In left panel, add rule.groups: osquery
![image](../../assets/54a8264b-ffac-4f98-be7d-5d1abce24233.png)
___
|[<<<<](03_client_app.md)|[>>>>](05_demonstration.md)|
|-|-|

7
net-sec-controls-sec350/osquery_project/05_demonstration.md Normal file
View file

@ -0,0 +1,7 @@
|[HOME](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/README.md)|[RESEARCH](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/01_research.md)|[INSTALLATION](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/02_install_rocky.md)|[CLIENT APP](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/03_client_app.md)|[INTEGRATION](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/04_wazuh_integration.md)|[DEMONSTRATION](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/05_demonstration.md)|[CONCLUSION](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/net-sec-controls-sec350/osquery_project/06_conclusion.md)|
|-|-|-|-|-|-|-|
# Demonstration
___
|[<<<<](04_wazuh_integration.md)|[>>>>](06_conclusion.md)|
|-|-|

19
net-sec-controls-sec350/osquery_project/06_conclusion.md Normal file
View file

@ -0,0 +1,19 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
# Conclusion
## Pros
- open source
- lightweight
- works on Linux, macOS, and Windows
## Cons
- stores current system state, which means it doesn't store historical data
## Overview
In conclusion, the OSQuery project demonstrates the potential of integrating OSQuery with Wazuh for enhanced security monitoring. OSQuery provides a powerful tool for querying and monitoring system data, while Wazuh offers robust endpoint detection and response capabilities. The integration of these tools allows for real-time event detection and analysis, offering significant benefits in terms of security visibility and incident response. However, considerations regarding complexity and resource requirements are important when implementing such a system. Overall, the integration of OSQuery with Wazuh presents a promising approach to strengthening corporate security infrastructure.
___
|[<<<<](05_demonstration.md)||
|-|-|

23
net-sec-controls-sec350/osquery_project/README.md Normal file
View file

@ -0,0 +1,23 @@
|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
|-|-|-|-|-|-|-|
Charlotte Croce, Andrei Gorlitsky, Benjamin Tyler
# Project 1 -OSQuery
🚀 Your security engineering technical lead has asked you to investigate a potential security tool called [OSQuery](https://github.com/osquery/osquery). They have asked that you be prepared to demonstrate the application itself and its integration into the corporate EDR platform (wazuh). You are expected to demo your results to the full security engineering team in one week.
## Demonstration Video
Google Drive link: https://drive.google.com/file/d/1TmDQrPufHJVOyXyVaR0a5f4StchSyOn2/view?usp=drive_link
## Documentation Contents
- [RESEARCH:](01_research.md) Conduct high level research on OSQuery and explain what it does at a high level
- [INSTALLATION:](02_install_rocky.md) Install OSQuery on either web01 (rocky) or wks01 (windows 10)
- [CLIENT APP:](03_client_app.md) Investigate and demonstrate some of the features of the OSQuery client application
- [INTEGRATION:](04_wazuh_integration.md) Integrate OSQuery with Wazuh
- [DEMONSTRATION:](05_demonstration.md) Develop an end to end demonstration that shows the triggering of an event that is picked up by OSQuery and how that event eventually makes it to Wazuh.
- [CONCLUSION:](06_conclusion.md) Conclude by discussing any pros and cons of this tool and integration.
___
||[>>>>](01_research.md)|
|-|-|