osquery简单试用-白红宇

osquery简单试用

阅读量：7228 次

发布时间：2019-06-29

本文共 2741 字，大约阅读时间需要 9 分钟。

备注：

osquery facebook 开源的将操作系统指标转换为sql 查询，方便好用，很适合devops 性能分析，系统监控

1. 安装

参考 https://osquery.io/downloads/official/2.11.2我使用的是centos 使用rpm 包安装wget https://pkg.osquery.io/rpm/osquery-2.11.2-1.linux.x86_64.rpmyum install -y osquery-2.11.2-1.linux.x86_64.rpm

2. 基本使用

a. 简单sqlosqueryi比如我要查询系统的用户select * from users;b. 查看系统的表.table=> acpi_tables  => apt_sources  => arp_cache  => augeas  => authorized_keys  => block_devices  => carbon_black_info  => carves  => chrome_extensions  => cpu_time  => cpuid  => crontab  => curl  => curl_certificate  => deb_packages  => device_file  => device_hash  => device_partitions  => disk_encryption  => dns_resolvers  => docker_container_labels  => docker_container_mounts  => docker_container_networks  => docker_container_ports  => docker_container_processes  => docker_container_stats  => docker_containers  => docker_image_labels  => docker_images  => docker_info  => docker_network_labels  => docker_networks  => docker_version  => docker_volume_labels  => docker_volumes  => ec2_instance_metadata  => ec2_instance_tags  => etc_hosts  => etc_protocols  => etc_services  => file  => file_events  => firefox_addons  => groups  => hardware_events  => hash  => intel_me_info  => interface_addresses  => interface_details  => iptables  => kernel_info  => kernel_integrity  => kernel_modules  => known_hosts  => last  => listening_ports  => lldp_neighbors  => load_average  => logged_in_users  => magic  => md_devices  => md_drives  => md_personalities  => memory_info  => memory_map  => mounts  => msr  => opera_extensions  => os_version  => osquery_events  => osquery_extensions  => osquery_flags  => osquery_info  => osquery_packs  => osquery_registry  => osquery_schedule  => pci_devices  => platform_info  => portage_keywords  => portage_packages  => portage_use  => process_envs  => process_events  => process_memory_map  => process_open_files  => process_open_sockets  => processes  => prometheus_metrics  => python_packages  => routes  => rpm_package_files  => rpm_packages  => shadow  => shared_memory  => shell_history  => smbios_tables  => socket_events  => startup_items  => sudoers  => suid_bin  => syslog_events  => system_controls  => system_info  => time  => uptime  => usb_devices  => user_events  => user_groups  => user_ssh_keys  => users  => yara  => yara_eventsc.  查看表schema.schema table_name 比如：.schema users.schema usersCREATE TABLE users(`uid` BIGINT, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT, `type` TEXT HIDDEN, PRIMARY KEY (`uid`, `username`)) WITHOUT ROWID;备注：就是写sql,实际需要的就是查询对应表的数据，很强很大，同时基本主流操作系统都支持

3. 几个小技巧

修改模式.mode line 类似mysql  \G.table  系统表.schema  表结构

4. 参考资料

https://osquery.io/

转载地址：http://isdfm.baihongyu.com/

你可能感兴趣的文章

敏感字过滤

查看>>

为什么我们要从 NodeJS 迁移到 Ruby on Rails

论flex布局和box布局的华为meta8手机自带浏览器的兼容

SharedPreferences的使用注意事项

Shell标准输出、标准错误 >/dev/null 2>&1

查看>>

Android自定义对话框(Dialog)位置,大小

通过案例对SparkStreaming 透彻理解三板斧之一：解密SparkStreaming运行机制

查看>>

HBuilder 学习笔记

查看>>

利用OpenStreetMap（OSM）数据搭建一个地图服务

查看>>