| name | deploying-osquery-for-endpoint-monitoring |
| description | 部署和配置 osquery,使用基于 SQL 的查询对运行进程、开放端口、已安装软件和系统配置进行实时端点监控。 适用于构建端点状态可见性、跨部署范围进行威胁狩猎或实施合规监控的场景。
|
| domain | cybersecurity |
| subdomain | endpoint-security |
| tags | ["endpoint","osquery","endpoint-monitoring","threat-hunting","fleet-management"] |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
部署 osquery 进行端点监控
使用场景
在以下情况下使用本技能:
- 在 Windows、macOS 和 Linux 端点上部署 osquery 以实现全部署范围的可见性
- 使用 osquery 的 SQL 接口构建威胁狩猎查询
- 监控端点合规性(已安装软件、开放端口、运行服务)
- 将 osquery 数据与 SIEM 或 Kolide/Fleet 集成以进行集中管理
不适用于实时告警(osquery 是周期性/按需查询;实时检测请使用 EDR)。
前置条件
- 适用于目标操作系统的 osquery 包(https://osquery.io/downloads)
- 用于企业部署的 Fleet 管理服务器(Kolide Fleet 或 FleetDM)
- 用于代理到服务器安全通信的 TLS 证书
- 用于 osquery 结果日志的日志聚合管道(Filebeat、Fluentd)
操作流程
步骤 1:安装 osquery
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY
add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
apt-get update && apt-get install osquery -y
msiexec /i osquery-5.12.1.msi /quiet
brew install osquery
步骤 2:配置 osquery
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"schedule_splay_percent": "10",
"events_expiry": "3600",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hostname",
"enable_syslog": "true"
},
"schedule": {
"process_monitor": {
"query": "SELECT pid, name, path, cmdline, uid, parent FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "检测无磁盘二进制文件运行的进程(无文件恶意软件)"
},
"listening_ports": {
"query": "SELECT DISTINCT p.name, p.path, lp.port, lp.protocol, lp.address FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0;",
"interval": 600,
"description": "监控监听的网络端口"
},
"persistence_check": {
"query": "SELECT name, path, source FROM startup_items;",
"interval": 3600,
"description": "监控持久化机制"
},
"installed_packages": {
"query": "SELECT name, version, source FROM deb_packages;",
"interval": 86400,
"description": "每日软件清单"
},
"users_and_groups": {
"query": "SELECT u.username, u.uid, u.gid, u.shell, u.directory FROM users u WHERE u.uid >= 1000;",
"interval": 3600
},
"crontab_monitor": {
"query": "SELECT * FROM crontab;",
"interval": 3600,
"description": "监控计划任务"
},
"suid_binaries": {
"query": "SELECT path, username, permissions FROM suid_bin;",
"interval": 86400,
"description": "检测 SUID 二进制文件"
}
},
"packs": {
"incident-response": "/usr/share/osquery/packs/incident-response.conf",
"ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
"vuln-management": "/usr/share/osquery/packs/vuln-management.conf"
}
}
步骤 3:威胁狩猎查询
SELECT pid, name, path, cmdline FROM processes WHERE on_disk = 0;
SELECT lp.port, lp.protocol, p.name, p.path
FROM listening_ports lp JOIN processes p ON lp.pid = p.pid
WHERE lp.port NOT IN (22, 80, 443, 3306, 5432);
SELECT * FROM authorized_keys WHERE NOT key LIKE '%admin-team%';
SELECT path, mtime, size FROM file
WHERE path LIKE '/usr/bin/%' AND mtime > (strftime('%s', 'now') - 86400);
SELECT DISTINCT p.name, p.path, pn.remote_address, pn.remote_port
FROM process_open_sockets pn JOIN processes p ON pn.pid = p.pid
WHERE pn.remote_address NOT LIKE '10.%'
AND pn.remote_address NOT LIKE '172.16.%'
AND pn.remote_address NOT LIKE '192.168.%'
AND pn.remote_address != '127.0.0.1'
AND pn.remote_address != '0.0.0.0';
SELECT p.name, p.path, a.result AS signature_status
FROM processes p JOIN authenticode a ON p.path = a.path
WHERE a.result != 'trusted';
步骤 4:部署 FleetDM 进行集中管理
关键概念
| 术语 | 定义 |
|---|
| osquery | 开源端点代理,将操作系统状态暴露为可查询的 SQL 数据表 |
| Schedule(计划) | 按定义间隔运行并记录结果的周期性查询 |
| Pack(包) | 为特定使用场景(IR、合规)分组的相关查询集合 |
| FleetDM | 开源 osquery 部署管理平台 |
| 差异结果 | osquery 只记录查询执行之间的变更,减少数据量 |
工具与系统
常见误区
- 查询性能问题:包含大型表扫描的复杂查询会影响端点性能。使用 WHERE 子句并用
EXPLAIN 测试查询开销。
- 计划间隔太激进:每 60 秒运行繁重查询会导致 CPU 峰值。大多数查询使用 300-3600 秒间隔。
- 未使用差异模式:不使用差异日志记录时,osquery 每次间隔都会记录所有结果。差异模式只记录变更。
- 缺少事件数据表:某些 osquery 数据表需要启用事件框架(process_events、socket_events)。使用
--disable_events=false 启用。