osquery 在主机侧用的还是离线(可以近实时)分析
安全监控规则在文件secrity.conf中,可自行修改,其中包含主要几项,query、interval、removed。
query: 查询的SQL语句
interval: 查询间隔,单位时间为秒
removed: 是否生成减少的记录
如:
"users": {
"query" : "select * from users;",
"interval" : 3600,
"removed": false
}https://github.com/grayddq/HIDS/blob/master/osquery/secrity.conf
{
"queries": {
////////////////////////////////以下为5分钟循环执行一次//////////////////
//process_open_sockets 在系统上打开网络套接字的进程差异变化,同时过滤掉内网、自身出现socket的变化,
//由于W机组的网络连接大于10W,会造成cpu 飙升到99%,故打算单独拎出来磁条规则,通过写shell名ss -an来执行
"process_open_sockets": {
"query" : "select * from process_open_sockets where remote_address != '127.0.0.1' and remote_address != '' and remote_address != '::' and remote_address not like '10.%' and remote_address != '0.0.0.0' and remote_address not like '172.16.%' and remote_address not like '192.168.%';",
"interval" : 300,
"removed": false
},
//processes 主机系统上的所有正在运行的进程差异变化,
//同时过滤一下经常出现的进程
"processes": {
"query" : "select pid,name,path,cmdline,cwd,root,uid,gid,parent from processes where name != 'nginx' and name != 'php-fpm' and name not like 'zabbix%';",
"interval" : 300,
"removed": false
},
/////////////////////////////////以下为1小时循环执行一次//////////////////
//listening_ports 侦听(绑定)网络套接字/端口差异变化,
//已过滤掉IPV6的侦听
"listening_ports": {
"query" : "select * from listening_ports where address != '::';",
"interval" : 3600,
"removed": false
},
//arp缓存差异变化
"arp_cache": {
"query" : "select * from arp_cache;",
"interval" : 3600,
"removed": false
},
//authorized_keys公钥差异变化
"authorized_keys": {
"query" : "select * from authorized_keys;",
"interval" : 3600,
"removed": false
},
//crontab定时任务差异变化
"crontab": {
"query" : "select * from crontab;",
"interval" : 3600,
"removed": false
},
//DNS映射表差异变化
"dns_resolvers": {
"query" : "select * from dns_resolvers;",
"interval" : 3600,
"removed": false
},
//etc_hosts信息差异变化
"etc_hosts": {
"query" : "select * from etc_hosts;",
"interval" : 3600,
"removed": false
},
//etc_services 差异变化
"etc_services": {
"query" : "select * from etc_services;",
"interval" : 3600,
"removed": false
},
//groups 本地系统组差异变化
"groups": {
"query" : "select * from groups;",
"interval" : 3600,
"removed": false
},
//iptables 防火墙差异变化
"iptables": {
"query" : "select * from iptables;",
"interval" : 3600,
"removed": false
},
//last 系统登录和登出差异变化
"last": {
"query" : "select * from last where host != '' and username != '';",
"interval" : 3600,
"removed": true
},
//routes 主机系统的主动路由表差异变化,去掉ipv6
"routes": {
"query" : "select * from routes where destination not like '%:%';",
"interval" : 3600,
"removed": false
},
//startup_items 应用程序和二进制文件设置为用户/登录启动项,差异变化
"startup_items": {
"query" : "select * from startup_items;",
"interval" : 3600,
"removed": false
},
//sudoers 通过sudo作为其他用户运行命令的规则差异变化
"sudoers": {
"query" : "select * from sudoers;",
"interval" : 3600,
"removed": false
},
//usb_devices 主动插入主机系统的USB设备差异变化
"usb_devices": {
"query" : "select * from usb_devices;",
"interval" : 3600,
"removed": false
},
//user_groups 本地系统用户组关系差异变化
"user_groups": {
"query" : "select * from user_groups;",
"interval" : 3600,
"removed": false
},
//users 用户差异变化
"users": {
"query" : "select * from users;",
"interval" : 3600,
"removed": false
}
}
}
浙公网安备 33010602011771号