osquery

Installation and configuration of OSQuery:

Work order:

1. Install osquery on host

2. Create /etc/osquery/osquery.conf on host

3. Activate it in the modules

Prerequisites:

Client:

Allow osquery through firewall (Wasn't needed for this example but you might need it)

Wazuh:

Wazuh:Go to Wazuh > Settings > Modules and enable OSquery, then it will be under Threat Detection and Respone enable Osquery:

Installation osquery Client (web01):

curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum install yum-utils -y
sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm-repo
sudo yum install osquery -y 

Client Config:

Copy the following example configuration into /etc/osquery/osquery.conf (creates a scheduled query to grab the systems hostname,cou,and memory every minute. Provides a good test to ensure the system is “up” as well shows when new port binding):

{
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "utc": "true"
    },
    "schedule": {
        "system_info": {
        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
        "interval": 60
        },
    "processes_binding_to_ports": {
        "query": "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
        "interval": 60
        }
    }
}

Wazuh Config:

Then you must enable the osquery module adding the following to the groups agents.conf file in Wazuh (should restart the Wazuh agent on the host after saving.) Documentation

    <wodle name="osquery">
        <disabled>no</disabled>
        <run_daemon>yes</run_daemon>
        <bin_path>/usr/bin</bin_path>
        <log_path>/var/log/osquery/osqueryd.results.log</log_path>
        <config_path>/etc/osquery/osquery.conf</config_path>
        <add_labels>no</add_labels>
    </wodle>

Output/Example:

If you go to Modules > Osquery > Events you will see events begin to populate. For example, you could create a Python webserver with the command python3 -m http.server 8900, and you will see osquery has logged a python3 process on port 8900.

NEVER RUN WAZUH ON THE SYSTEM THROUGH SYSTEMCTL, WAZUH CONTROLS IT!!!

Sources:

• https://osquery.readthedocs.io/en/latest/
• https://github.com/osquery/osquery
• https://www.osquery.io/
• https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html
• https://youtu.be/zT5RpPR7uhg
• https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/