# osquery

## Installation and configuration of OSQuery: <a href="#docs-internal-guid-132c3ac2-7fff-ad29-c2e2-4e2def3eb6cf" id="docs-internal-guid-132c3ac2-7fff-ad29-c2e2-4e2def3eb6cf"></a>

#### Work order:

1. Install osquery on host
2. Create `/etc/osquery/osquery.conf` on host
3. Activate it in the modules

### Prerequisites:

#### Client:

Allow osquery through firewall (Wasn't needed for this example but you might need it)

#### Wazuh:

Wazuh:Go to Wazuh > Settings > Modules and enable OSquery, then it will be under Threat Detection and Respone enable Osquery:

<figure><img src="https://lh5.googleusercontent.com/MYlaBRcLlQRATlR7YUXalSsgmHwiZBRBFNAtBWJHyjzCA5w0gXuQmZVorn9EcNZcqwJjLRrhAWOvr_Eabwd_ob4gpZ9fD3v8HQn9flr59DwxOy5WpoX3vKR2nTIjz5GUWlkHprtWWt1UyK3W_kzVfqM" alt=""><figcaption></figcaption></figure>

### Installation osquery Client (web01):

```bash
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum install yum-utils -y
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm-repo
sudo yum install osquery -y 
```

### Client Config:

Copy the following example configuration into `/etc/osquery/osquery.conf` (creates a scheduled query to grab the systems hostname,cou,and memory every minute. Provides a good test to ensure the system is “up” as well shows when new port binding):

{% code overflow="wrap" %}

```yaml
{
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "utc": "true"
    },
    "schedule": {
        "system_info": {
        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
        "interval": 60
        },
    "processes_binding_to_ports": {
        "query": "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
        "interval": 60
        }
    }
}
```

{% endcode %}

### Wazuh Config:

Then you must enable the osquery module adding the following to the groups `agents.conf` file in Wazuh (should restart the Wazuh agent on the host after saving.) [Documentation](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-osquery.html)

<figure><img src="https://lh3.googleusercontent.com/WH2hMxmglbZJuXBTSvG4aNdukPtcRAU-oSenC-YeqlPdQ_Ocn0a2e4xqdMxSR-dA81d4TERSDEmmCiJZq8_yGvNDiAjJuT4qVDqzpho24PBNfHzNC0RwgSVQ0Ytl-GBNK5-QFnlNmbnV_emuKzl3No8" alt=""><figcaption></figcaption></figure>

```
    <wodle name="osquery">
        <disabled>no</disabled>
        <run_daemon>yes</run_daemon>
        <bin_path>/usr/bin</bin_path>
        <log_path>/var/log/osquery/osqueryd.results.log</log_path>
        <config_path>/etc/osquery/osquery.conf</config_path>
        <add_labels>no</add_labels>
    </wodle>
```

<figure><img src="https://lh4.googleusercontent.com/4fQZPNlwaoLbJ-9IEZAZf6oyEE5YVMsp84iyI3hK9d6BrvdFZgQcpAayg6hYG7vu6vEc-CweFYUFlexDfJKo4nVQo5iCkmx2dgjIEzjdG77RFh7biPgdaarnB-qDAvYauLsr5idQBHLPeHsDVUEw_Cc" alt=""><figcaption></figcaption></figure>

### Output/Example: <a href="#docs-internal-guid-df8546fc-7fff-fef1-9a79-3d3cf1e18174" id="docs-internal-guid-df8546fc-7fff-fef1-9a79-3d3cf1e18174"></a>

If you go to `Modules > Osquery > Events` you will see events begin to populate. For example, you could create a Python webserver with the command `python3 -m http.server 8900`, and you will see osquery has logged a python3 process on port 8900.

<figure><img src="https://lh5.googleusercontent.com/aYwNzVa8XTVQnHPxGSmFv_dU0qEv4RWYDQJeSRs5UFOKPkRfZ8bftu9dXjsmU6rmSCFrN4bd2fWW7QyTSwBuNb_4DmrO_MfIuJ3zjh0Ed2YSF1GAgOEMVK9A4-xeTyvkE3Tpk1eSCLocw9BXrVFcxVE" alt=""><figcaption></figcaption></figure>

### NEVER RUN WAZUH ON THE SYSTEM THROUGH SYSTEMCTL, WAZUH CONTROLS IT!!!

### Sources:

* <https://osquery.readthedocs.io/en/latest/>
* <https://github.com/osquery/osquery>
* <https://www.osquery.io/>
* <https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html>&#x20;
* <https://youtu.be/zT5RpPR7uhg>&#x20;
* <https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://paul-gleason.gitbook.io/sec-350-enterprise-and-network-security-controls-1/projects/osquery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.