IR 308: osquery (15 pts)

What You Need for This Project

Purpose

To practice using osquery, a forensic tool created by Facebook, to detect suspicious activity on a Linux server.

Installing osquery

On your Linux machine, in a Terminal session, execute these commands:
sudo apt update
sudo apt install dirmngr software-properties-common -y
sudo apt install apt-transport-https -y 
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
sudo apt update
sudo apt install osquery -y

Overview of osquery

On your Linux machine, in a Terminal session, execute these commands:
osqueryi
.help
osquery opens in interactive mode and shows the help page, listing the available commands, as shown below.

Available Tables

On your Linux machine, at the osquery> prompt, execute this command:
.tables
You see a long list of available tables, as shown below.

APT Sources

On your Linux machine, at the osquery> prompt, execute this command to see the software repositories on your server:
.all apt_sources
The sources include pkg.osquery.io, as shown below.

Examining Other Tables

Look in these tables the same way, with .all :
arp_cache
uptime
users
shell_history
crontab
kernel_info
logged_in_users
memory_info
suid_bin
os_version

Flag IR 308.1: vmlinuz Path (5 pts)

One of the tables above returns this output. The flag is covered by a green rectangle in the image below.


Enabling Syslog Consumption in osquery

On your Linux machine, at the osquery> prompt, execute these commands:
.quit
sudo apt install rsyslog -y
sudo nano /etc/rsyslog.d/osquery.conf
Enter this into the file, as shown beow.
template(
  name="OsqueryCsvFormat"
  type="string"
  string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

Save the file with Ctrl+X, Y, Enter.

On your Linux machine, execute these commands:

sudo systemctl restart rsyslog
sudo nano /etc/osquery/osquery.conf
Enter this into the file, as shown beow.
{
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "logger_path": "/var/log/osquery",
        "disable_logging": "false",
        "schedule_splay_percent": "10",
        "pidfile": "/var/osquery/osquery.pidfile",
        "events_expiry": "3600",
        "database_path": "/var/osquery/osquery.db",
        "verbose": "false",
        "worker_threads": "2", 
        "disable_events": "false",
        "disable_audit": "false",
        "audit_allow_config": "true",
        "host_identifier": "hakase-labs",
        "enable_syslog": "true",
        "syslog_pipe_path": "/var/osquery/syslog_pipe",
        "force": "true",
        "audit_allow_sockets": "true",
        "schedule_default_interval": "3600"
    },


    "schedule": {
        "crontab": {
            "query": "SELECT * FROM crontab;",
            "interval": 300
        },
        "system_info": {
            "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
            "interval": 3600
        },
        "ssh_login": {
            "query": "SELECT username, time, host FROM last WHERE type=7",
            "interval": 360
        }
    },

    "decorators": {
        "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
        ]
    },

    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
    }
}

Save the file with Ctrl+X, Y, Enter.

Checking the Configuration

On your Linux machine, execute this command:
sudo osqueryctl config-check
The process should run without errors. as shown beow.

On your Linux machine, execute these commands:

sudo systemctl start osqueryd
sudo systemctl enable osqueryd
sudo systemctl restart rsyslog
The process should run without errors. as shown beow.

Configuring File Integrity Monitoring (FIM)

We'll configure osquery to monitor several directories and detect file changes in them.

On your Linux machine, execute this command:

sudo nano /usr/share/osquery/packs/fim.conf
Enter this code, as shown below:
{
  "queries": {
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "homes": [
      "/home/%/.ssh/%%"
    ],
      "etc": [
      "/etc/%%"
    ],
      "home": [
      "/home/%%"
    ],
      "tmp": [
      "/tmp/%%"
    ]
   }
}
Save the file with Ctrl+X, Y, Enter.

On your Linux machine, execute this command:

sudo nano /etc/osquery/osquery.conf
At the bottom of the file, replace the "packs" section with this code, as shown below:
    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
        "fim": "/usr/share/osquery/packs/fim.conf"
    }

Save the file with Ctrl+X, Y, Enter.

Checking the Configuration

On your Linux machine, execute these commands:
sudo systemctl stop osqueryd
sudo osqueryctl config-check
When I saw it, there was a "Rocksdb" error, as shown below, but I just ignored it and it worked anyway.

Monitoring Changes

On your Linux machine, execute these commands:
sudo systemctl restart osqueryd
sudo tail -f /var/log/osquery/osqueryd.results.log
You may see some "crontab" messsages and other messages, as shown below:

Leave this window open with the "tail" command running.

Creating a Test Event

From the Google Cloud Console, open a new SSH window to your server. Then execute this command:
touch /tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBB

Flag IR 308.2: Event Name (10 pts)

Find the event with the long filename. The flag is this events's "name", covered by a green rectangle in the image below.



References

Introduction to osquery for Threat Detection and DFIR
Install Osquery on Debian 10 Buster
How to Setup File Integrity Monitoring (FIM) using osquery on Linux

Posted 11-7-19
stop command added 6-28-2020
apt-transport-https added 9-17-20