osquery allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company.
Download https://osquery.readthedocs.org/en/latest/installation/install-linux/
[root@phdns02 ~]# sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos6/noarch/osquery-s3-centos6-repo-1-0.0.noarch.rpm
Retrieving https://osquery-packages.s3.amazonaws.com/centos6/noarch/osquery-s3-centos6-repo-1-0.0.noarch.rpm
warning: /var/tmp/rpm-tmp.rCrgXh: Header V4 RSA/SHA1 Signature, key ID c9d8b80b: NOKEY
Preparing... ########################################### [100%]
1:osquery-s3-centos6-repo########################################### [100%]
[root@phdns02 ~]# yum install osquery
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink | 12 kB 00:00
* base: mirrors.abcd.net
* epel: mirror.sfo12.us.xyz.net
* extras: repos.lmnopq.com
* updates: mirror.xxxx.org
HDP-2.3 | 2.9 kB 00:00
HDP-UTILS-1.1.0.20 | 2.9 kB 00:00
Updates-ambari-2.2.0.0 | 2.9 kB 00:00
base | 3.7 kB 00:00
dockerrepo | 2.9 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.8 MB 00:00
epel-apache-maven | 2.4 kB 00:00
extras | 3.4 kB 00:00
osquery-s3-centos6-repo | 3.3 kB 00:00
osquery-s3-centos6-repo/primary_db | 11 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 3.3 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package osquery.x86_64 0:1.7.0_4_g08ca034-1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================
Installing:
osquery x86_64 1.7.0_4_g08ca034-1.el6 osquery-s3-centos6-repo 5.5 M
Transaction Summary
==========================================================================================================================================================================================================
Install 1 Package(s)
Total download size: 5.5 M
Installed size: 16 M
Is this ok [y/N]: y
Downloading Packages:
osquery-1.7.0-4-g08ca034.rpm | 5.5 MB 00:01
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID c9d8b80b: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
Importing GPG key 0xC9D8B80B:
Userid : osquery (osquery) <osquery@fb.com>
Package: osquery-s3-centos6-repo-1-0.0.noarch (installed)
From : /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : osquery-1.7.0_4_g08ca034-1.el6.x86_64 1/1
Verifying : osquery-1.7.0_4_g08ca034-1.el6.x86_64 1/1
Installed:
osquery.x86_64 0:1.7.0_4_g08ca034-1.el6
Complete!
Launch osquery shell
[root@phdns02 ~]#osqueryi
osquery> SELECT name, path, pid FROM processes where name= "java";
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.
.all [TABLE] Select all from a table
.bail ON|OFF Stop after hitting an error; default OFF
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.mode MODE Set output mode where MODE is one of:
csv Comma-separated values
column Left-aligned columns. (See .width)
line One value per line
list Values delimited by .separator string
pretty Pretty printed SQL results
.nullvalue STR Use STRING in place of NULL values
.print STR... Print literal STRING
.quit Exit this program
.schema [TABLE] Show the CREATE statements
.separator STR Change separator used by output mode and .import
.show Show the current values for various settings
.tables [TABLE] List names of tables
.trace FILE|off Output each SQL statement as it is run
.width [NUM1]+ Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
osquery>
osquery> .tables
=> acpi_tables
=> arp_cache
=> authorized_keys
=> block_devices
=> chrome_extensions
=> cpuid
=> crontab
=> device_file
=> device_hash
=> device_partitions
=> disk_encryption
=> etc_hosts
=> etc_protocols
=> etc_services
=> file
=> file_events
=> firefox_addons
=> groups
=> hardware_events
=> hash
=> interface_addresses
=> interface_details
=> iptables
=> kernel_info
=> kernel_integrity
=> kernel_modules
=> known_hosts
=> last
=> listening_ports
=> logged_in_users
=> magic
=> memory_map
=> mounts
=> msr
=> opera_extensions
=> os_version
=> osquery_events
=> osquery_extensions
=> osquery_flags
=> osquery_info
=> osquery_packs
=> osquery_registry
=> osquery_schedule
=> pci_devices
=> platform_info
=> process_envs
=> process_events
=> process_memory_map
=> process_open_files
=> process_open_sockets
=> processes
=> routes
=> rpm_package_files
=> rpm_packages
=> shared_memory
=> shell_history
=> smbios_tables
=> socket_events
=> suid_bin
=> system_controls
=> system_info
=> time
=> uptime
=> usb_devices
=> user_events
=> user_groups
=> users
=> yara
=> yara_events
osquery>
