2.1 KiB
2.1 KiB
| HOME | RESEARCH | INSTALLATION | CLIENT APP | INTEGRATION | DEMONSTRATION | CONCLUSION |
|---|
osquery Client Application (osqueryi)
osqueryi is an interactive shell for osquery that uses SQL-like queries to gather system information. It allows you to query various aspects of an operating system as if they were tables in a database.
Common queries:
Inspect system processes:
osquery> SELECT name, path, pid FROM processes WHERE name = 'httpd';
+-------+-----------------+-------+
| name | path | pid |
+-------+-----------------+-------+
| httpd | /usr/sbin/httpd | 82243 |
| httpd | /usr/sbin/httpd | 86173 |
| httpd | /usr/sbin/httpd | 86174 |
| httpd | /usr/sbin/httpd | 86175 |
| httpd | /usr/sbin/httpd | 86176 |
+-------+-----------------+-------+
List installed packages:
osquery> SELECT name, version FROM rpm_packages;
+-------------------------------+------------+
| name | version |
+-------------------------------+------------+
| NetworkManager | 1.36.0 |
| NetworkManager-config-server | 1.36.0 |
| NetworkManager-libnm | 1.36.0 |
| NetworkManager-team | 1.36.0 |
| NetworkManager-tui | 1.36.0 |
| acl | 2.2.53 |
| adcli | 0.8.2 |
| alsa-sof-firmware | 1.9.3 |
| apr | 1.6.3 |
| apr-util | 1.6.1 |
...
Check listening network ports:
osquery> SELECT pid, address, port FROM listening_ports;
+-------+-----------+-------+
| pid | address | port |
+-------+-----------+-------+
| 1101 | 0.0.0.0 | 22 |
| 86176 | :: | 80 |
| 1101 | :: | 22 |
| 34468 | 0.0.0.0 | 51361 |
| 942 | 127.0.0.1 | 323 |
| 942 | ::1 | 323 |
| 1068 | :: | 58 |
| 924 | | 0 |
| 924 | | 0 |
...
| <<<< | >>>> |
|---|