Osquery exposes the OS as a relational database
Facebook has laid out the OSquery framework on github , it performs low-level monitoring of processes in OS X and Linux and stores them in the form of SQL tables. This method is convenient in its own way, because different tables can be combined in a query.
For example, if we want to see the names, pid and ports of all processes that listen on ports on all interfaces, then we compose a query
Or another request, it displays a list of all OS X daemons that run with the operating system and continue to execute after that. The name of the daemon and the path to the executable file are returned.
')
With similar requests, running processes, loaded kernel modules and network connections are monitored.
New SQL tables for OSquery are pretty easy to do yourself . Optionally replenish the general catalog of tables .
For example, if we want to see the names, pid and ports of all processes that listen on ports on all interfaces, then we compose a query
SELECT DISTINCT process.name, listening.port, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid WHERE listening.address = '0.0.0.0'; Or another request, it displays a list of all OS X daemons that run with the operating system and continue to execute after that. The name of the daemon and the path to the executable file are returned.
')
SELECT name, program || program_arguments AS executable FROM launchd WHERE (run_at_load = 'true' AND keep_alive = 'true') AND (program != '' OR program_arguments != ''); With similar requests, running processes, loaded kernel modules and network connections are monitored.
New SQL tables for OSquery are pretty easy to do yourself . Optionally replenish the general catalog of tables .
Source: https://habr.com/ru/post/242205/
All Articles