So how does Augeas fit into osquery? Osquery includes an augeas table that connects the Augeas API into the osquery SQL interface. There are lenses for CUPS, GRUB, Apache HTTP Server, MongoDB Server, and many more. On my Ubuntu 19.10 system, it includes 225 lenses, so you can imagine that it will provide a fairly comprehensive view of your system configuration. Augeas has turned the parsed lines in the sources.list configuration file into a logical tree structure that you can explore just like a filesystem. I’ve stripped out the comment lines for clarity, but hopefully you get the idea. Let’s say I’d like to see which package repositories my Ubuntu system will pull from when I run apt-get.
It presents it to you as a single virtual tree which you can ls or print (recursive ls) just like you would in a normal shell.
#Data sets for cyber osquery how to
Upon launching augtool, Augeas will load every config file it knows how to interpret with the lenses installed on your system. Let's quickly look at how Augeas works through its stand-alone tool called, aptly, "augtool." If there isn't already a lens defined for your application's configuration file, you can write one yourself, and optionally contribute it back to the Augeas project for the benefit of others. If you're familiar with them, it's somewhat of a hybrid between AWK and YACC/Bison, except it works bi-directionally. It does this by providing a large number of "lenses" that explain how to convert a configuration file into the unified model and back. That's where Augeas fits into the pipeline.Īugeas is a remarkably generic tool that allows you to read and modify any configuration file through a unified hierarchical key/value data model. If you're thinking that sounds like a lot of work, especially just to read a new configuration file, you're not alone.
Adding a new source of information, such as supporting a new kind of application configuration, would traditionally require defining a new SQL table schema and writing the C++ code to populate it.
#Data sets for cyber osquery generator
Some sources of information include parts of the /proc file system, API calls to container daemons, reading logs or status files on disk, and event streams coming from the Linux audit frame.īetween these information sources and the SQL table is a generator function, written in C++, that handles the reading and parsing of the information and populating the table. Inside osquery, there's typically a 1:1 correspondence between a source of information and the SQL table you can use to browse or search this information.
Osquery is a powerful tool that allows you to investigate and monitor a myriad of endpoint activity, status, and configuration information through a unified SQL interface.
0 kommentar(er)
