migrate to git.charlotte.sh

2025-04-19 23:42:08 -04:00 · 2025-04-19 23:42:08 -04:00 · fbd588721e
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
--- a/net-sec-controls-sec350/osquery_project/03_client_app.md
+++ b/net-sec-controls-sec350/osquery_project/03_client_app.md
@ -0,0 +1,59 @@
+|[HOME](README.md)|[RESEARCH](01_research.md)|[INSTALLATION](02_install_rocky.md)|[CLIENT APP](03_client_app.md)|[INTEGRATION](04_wazuh_integration.md)|[DEMONSTRATION](05_demonstration.md)|[CONCLUSION](06_conclusion.md)|
+|-|-|-|-|-|-|-|
+
+# osquery Client Application (osqueryi)
+`osqueryi` is an interactive shell for osquery that uses SQL-like queries to gather system information. It allows you to query various aspects of an operating system as if they were tables in a database.
+
+## Common queries:
+Inspect system processes:
+```sql
+osquery> SELECT name, path, pid FROM processes WHERE name = 'httpd';
+-------+-----------------+-------+
+| name  | path            | pid   |
+-------+-----------------+-------+
+| httpd | /usr/sbin/httpd | 82243 |
+| httpd | /usr/sbin/httpd | 86173 |
+| httpd | /usr/sbin/httpd | 86174 |
+| httpd | /usr/sbin/httpd | 86175 |
+| httpd | /usr/sbin/httpd | 86176 |
+-------+-----------------+-------+
+```
+List installed packages:
+```sql
+osquery> SELECT name, version FROM rpm_packages;
+-------------------------------+------------+
+| name                          | version    |
+-------------------------------+------------+
+| NetworkManager                | 1.36.0     |
+| NetworkManager-config-server  | 1.36.0     |
+| NetworkManager-libnm          | 1.36.0     |
+| NetworkManager-team           | 1.36.0     |
+| NetworkManager-tui            | 1.36.0     |
+| acl                           | 2.2.53     |
+| adcli                         | 0.8.2      |
+| alsa-sof-firmware             | 1.9.3      |
+| apr                           | 1.6.3      |
+| apr-util                      | 1.6.1      |
+...
+```
+Check listening network ports:
+```sql
+osquery> SELECT pid, address, port FROM listening_ports;
+-------+-----------+-------+
+| pid   | address   | port  |
+-------+-----------+-------+
+| 1101  | 0.0.0.0   | 22    |
+| 86176 | ::        | 80    |
+| 1101  | ::        | 22    |
+| 34468 | 0.0.0.0   | 51361 |
+| 942   | 127.0.0.1 | 323   |
+| 942   | ::1       | 323   |
+| 1068  | ::        | 58    |
+| 924   |           | 0     |
+| 924   |           | 0     |
+...
+```
+
+___
+|[<<<<](02_install_rocky.md)|[>>>>](04_wazuh_integration.md)|
+|-|-|