Most things in CoreOS Container Linux can be run in containers, except when it doesn’t make sense. Here’s how I got osquery up and running.
osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
Since osquery is published to a yum repository we can use Toolbox, which by default uses the stock Fedora Docker container, to install the RPM package. Then it’s possible to copy binaries and other artifacts into our host.
Note: In the below snippets, the $ refers to input in the CoreOS host, and the # refers to input in the Toolbox container.
[code language=”text” gutter=”false”]
$ toolbox
# dnf install -y ‘dnf-command(config-manager)’
# curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
# dnf config-manager –add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
# yum install -y osquery
# mkdir -p /tmp/osquery/{bin,share}
# cp /usr/bin/osquery* /tmp/osquery/bin/
# cp -R /usr/share/osquery/* /tmp/osquery/share/
# mv /tmp/osquery /media/root/tmp/
# exit
$ sudo mkdir -p /opt/bin /etc/osquery /var/osquery /var/log/osquery
$ sudo cp /tmp/osquery/bin/* /opt/bin/
$ sudo cp -R /tmp/osquery/share/* /var/osquery/
$ sudo cp /var/osquery/osquery.example.conf /etc/osquery/osquery.conf
[/code]
That’s it! At this point you can jump into osqueryi, the osquery interactive query console/shell.
[code language=”text” gutter=”false”]
$ osqueryi
Using a virtual database. Need help, type ‘.help’
osquery> select * from users where username = ‘core’;
+—–+—–+————+————+———-+————–+————+———–+——+
| uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid |
+—–+—–+————+————+———-+————–+————+———–+——+
| 500 | 500 | 500 | 500 | core | CoreOS Admin | /home/core | /bin/bash | |
+—–+—–+————+————+———-+————–+————+———–+——+
[/code]
If you want to setup osqueryd, the host monitoring daemon that allows you to schedule queries and record OS state changes, just create and enable the following systemd service:
[code language=”text” gutter=”false”]
$ sudo tee /etc/systemd/system/osqueryd.service << ‘EOF’ > /dev/null
[Unit]
Description=The osquery Daemon
After=network.service syslog.service
[Service]
TimeoutStartSec=0
Environment=FLAG_FILE=/etc/osquery/osquery.flags
Environment=CONFIG_FILE=/etc/osquery/osquery.conf
Environment=LOCAL_PIDFILE=/var/osquery/osqueryd.pidfile
Environment=PIDFILE=/var/run/osqueryd.pidfile
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/opt/bin/osqueryd \
–flagfile $FLAG_FILE \
–config_path $CONFIG_FILE
Restart=on-failure
KillMode=process
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
EOF
$ sudo systemctl enable osqueryd
Created symlink /etc/systemd/system/multi-user.target.wants/osqueryd.service → /etc/systemd/system/osqueryd.service.
[/code]
What are your thoughts on tools like osquery running on CoreOS Container Linux?