|
OSQuery : Install
2016/10/16 |
|
Install OSQuery by Facebook to monitor information of System.
It's possible to see various System informations with queries like SQL. |
|
| [1] | Install OSQuery. |
|
[root@dlp ~]# yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm [root@dlp ~]# yum -y install osquery
|
| [2] | These are some examples of Basic Operation of OSQuery. Refer to the official site below to see the details of all tables. ⇒ https://osquery.io/docs/tables/ |
|
# run osquery shell [root@dlp ~]# osqueryi osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using a virtual database. Need help, type '.help' osquery> # show all column of tables for OS version osquery> select * from os_version; +--------------+-------+-------+-------+-------+ | name | major | minor | patch | build | +--------------+-------+-------+-------+-------+ | CentOS Linux | 7 | 2 | 1511 | | +--------------+-------+-------+-------+-------+ # show some column of tables for System info osquery> select hostname, cpu_brand, hardware_vendor, hardware_model from system_info; +---------------+-------------------------------------------+-----------------+----------------+ | hostname | cpu_brand | hardware_vendor | hardware_model | +---------------+-------------------------------------------+-----------------+----------------+ | dlp.srv.world | Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz | Red Hat | KVM | +---------------+-------------------------------------------+-----------------+----------------+ # show some column of tables and also specify over 1000 of UID for User info osquery> select uid, gid, username, shell from users where uid >= 1000; +------+------+----------+-----------+ | uid | gid | username | shell | +------+------+----------+-----------+ | 1000 | 1000 | cent | /bin/bash | | 1001 | 1001 | redhat | /bin/bash | | 1002 | 1002 | ubuntu | /bin/bash | +------+------+----------+-----------+ # show all column of tables for CPU Time osquery> select * from cpu_time; +------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+ | core | user | nice | system | idle | iowait | irq | softirq | steal | guest | guest_nice | +------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+ | 0 | 870 | 0 | 597 | 298134 | 4 | 0 | 11 | 8 | 0 | 0 | | 1 | 3717 | 0 | 1164 | 294858 | 10 | 0 | 3 | 1 | 0 | 0 | | 2 | 1189 | 0 | 873 | 297573 | 13 | 0 | 0 | 33 | 0 | 0 | | 3 | 1150 | 0 | 1233 | 297503 | 6 | 0 | 0 | 2 | 0 | 0 | +------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+ # to quit shell, push Ctrl+D osquery> [root@dlp ~]# |