![]() ![]() One benefit of this tabular information is that you can focus on the field you want to query and see the type of information that it provides: osquery> PRAGMA table_info(users) For example, I'll use PRAGMA to see information for the rpm_packages table in a nice format: osquery> PRAGMA table_info(rpm_packages) In case that schema information is too cryptic for you, there is another way to print the table information in a verbose, tabular format: the PRAGMA command. ![]() You learn more in Osquery's tables documentation. To drive home the point, use the following command to see the schema for the RPM packages and compare the information with rpm -qa and rpm -qi operating system commands: osquery>ĬREATE TABLE rpm_packages(`name` TEXT, `version` TEXT, `release` TEXT, `source` TEXT, `size` BIGINT, `sha1` TEXT, `arch` TEXT, `epoch` INTEGER, `install_time` INTEGER, `vendor` TEXT, `package_group` TEXT, `pid_with_namespace` INTEGER HIDDEN, `mount_namespace_id` TEXT HIDDEN, PRIMARY KEY (`name`, `version`, `release`, `arch`, `epoch`, `pid_with_namespace`)) WITHOUT ROWID schema processesĬREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER HIDDEN, `elapsed_time` BIGINT HIDDEN, `handle_count` BIGINT HIDDEN, `percent_processor_time` BIGINT HIDDEN, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID If you want to check the results, you could quickly run ps -ef or ps aux and compare the output with the contents of the table: osquery>. schema command followed by the table name to see what information is saved in this table. As an example, choose processes, since the ps command is used quite often to get this information. Now that you know the table names, you can see what information each table provides. Osquery> Check the schema for individual tables If you are a long-time Linux user or a sysadmin, the table names will be familiar, as you have been using operating system commands to get this information: osquery>. tables command to list all the tables that you can query. But how can you query these tables if you don't know their names? Well, you can run the. ![]() Information in databases is often saved in tables. quit command to get back to the operating system's shell: osquery>Īs mentioned, Osquery makes data available as the output of SQL queries. Running the osqueryi command drops you into an interactive shell where you can run commands specific to Osquery, which often start with a. In fact, osqueryi is a modified version of the SQLite shell. You interact with Osquery much like you would use an SQL database. Another utility, osqueryctl, controls starting, stopping, and checking the status of the daemon. You can run the osqueri utility without having the osqueryd daemon running. This daemon can schedule queries to execute at regular intervals to gather information from the infrastructure. osqueryd is like a monitoring daemon for the host it is installed on.It is a standalone utility that does not need super-user privileges (unless you are querying tables that need that level of access). osqueri is an interactive SQL query console.(I'll use version 4.7.0 in these examples.)Īfter installation, verify it's working: $ rpm -qa | grep osquery Install the latest version for your operating system by following its installation instructions. Osquery is available for Linux, macOS, Windows, and FreeBSD. Many applications that handle security, DevOps, compliance, and inventory management (to name a few) depend upon the core functionalities provided by Osquery at their heart. Imagine that you could query the output of the ps and rpm commands as if you were querying an SQL database table with similar names.įortunately, there is a tool that does just that and much more: Osquery is an open source "SQL powered operating system instrumentation, monitoring, and analytics framework." It would be helpful to view all of this information formatted like the output of a database SQL query. Free online course: RHEL Technical Overview. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |