sql注入操作系统_OSQuery：使用SQL探索您的操作系统

sql注入操作系统

If the title sounds like a confusing hoax, that’s understandable – but it’s very, very real. In an announcement on October 30th, Facebook released OSQuery – a new way to inspect the current state of your OS X or Linux operating system by writing SQL queries.

如果标题听起来像是一个令人困惑的骗局，那是可以理解的-但它是非常非常真实的。 在10月30日的公告中 ，Facebook发布了OSQuery –一种通过编写SQL查询来检查OS X或Linux操作系统当前状态的新方法。

At first, this might sound weird and your gut reaction might be a resonating “Why?!”, but upon further inspection, useful aspects become obvious. Let’s see how. In this post, I’ll tell you why it might be useful for you, show you how to install it, and guide you through doing some example queries on a prepared Vagrant box you can use if you’re not currently running OS X or Linux.

起初，这听起来可能很奇怪，您的直觉React可能是共鸣的“为什么？！”，但是经过进一步检查，有用的方面变得显而易见。 让我们看看如何。 在这篇文章中，我将告诉您为什么它可能对您有用，向您展示如何安装它，并指导您在准备好的Vagrant盒上进行一些示例查询，如果您当前未运行OS X或OS X，则可以使用它。 Linux。

它是什么？ (What is it?)

I won’t regurgitate their announcement post – for implementation details see there. In a nutshell, OSQuery pretends to be a relational database and contains some “tables” (tables in quotes because they don’t actually exist as tables you’re used to in, for example, MySQL) which expose the OS data in a manner that makes it queryable by SQL statements (yes, including joins and the whole lot!).

我不会反驳他们的公告帖子-有关实现的详细信息， 请参阅此处 。 简而言之，OSQuery伪装成一个关系数据库，并包含一些“表”(用引号表示的表，因为它们实际上并不像您在MySQL中惯用的表那样存在)，从而以某种方式公开了OS数据。这样就可以通过SQL语句进行查询(是的，包括联接和全部！)。

If you ever ran into a situation where you couldn’t run Apache because a port was already taken and you had to go and grep the process list, only to find out a dead instance of Skype is hogging port 80, you’ll know to appreciate the simplicity of OSQuery.

如果遇到由于已经占用端口而无法运行Apache的情况，而不得不去grep进程列表，只是发现一个死的Skype实例正在占用端口80，您会知道欣赏OSQuery的简单性。

OSQuery works on CentOS, Ubuntu, and OS X, thus supporting your production servers, your development playbox, and the operating systems of any other machine you have access to, like your children’s or your employees’s – allowing you to use it to monitor the OS status of your entire ecosystem. It’s fully open source, and there’s even a guide on creating your own tables, in case some are missing and you need them. The team is adding new tables regularly, so even if you don’t feel like contributing but still want to use some missing ones, there’s a high chance they’ll pop up if you give it some time.

OSQuery可在CentOS，Ubuntu和OS X上运行，从而支持您的生产服务器，开发播放盒以及您可以访问的任何其他计算机(如孩子或雇员的计算机)的操作系统-允许您使用它来监视OS您整个生态系统的状态。 它是完全开源的，甚至还提供了有关创建自己的表的指南 ，以防丢失某些表并且您需要它们。 该团队会定期添加新表格，因此即使您不想贡献自己的力量，但仍然想使用一些缺失的表格，但如果您花一些时间，它们很有可能会弹出。

The software is installed via (currently) self-built packages for all supported operating systems, and comes with osqueryi – an interactive console for playing around with the queries – and osqueryd – a daemon you can schedule to run regularly and aggregate data across monitored machines, for example. The documentation is very good, so conquering every aspect of OSQuery is as simple as dedicating an afternoon to it.

该软件是通过(当前)自构建软件包为所有受支持的操作系统安装的，并带有osqueryi (一个用于处理查询的交互式控制台)和osqueryd (一个守护程序)，您可以安排它定期运行并在受监视的计算机上聚合数据， 例如。 该文档非常好，因此征服OSQuery的各个方面都非常简单，只需花一个下午的时间即可。

安装和使用OSQuery (Installing and Using OSQuery)

OSQuery provides a default Vagrant configuration for you to use for building the package which you’ll eventually distribute across all other machines you’d like it installed on. If you’re not familiar with Vagrant, and you really should be, see our posts on the topic here.

OSQuery提供了一个默认的Vagrant配置供您用来构建程序包，最终您将在所有其他要安装该程序的计算机上分发该程序包。 如果您确实不熟悉Vagrant，那么您应该在这里查看有关该主题的帖子。

The installation process is somewhat convoluted if you’ve never used VMs, so let’s break it down. Let’s imagine we have an Ubuntu 14.04 machine onto which we’d like to install OSQuery. Typically, you install software via a package manager such as Aptitude by issuing a command like apt-get install. However, since OSQuery is not in the official repos for these types of distributions yet, we’ll need to build the package manually, and then install it from a local location (by copying a .deb file onto the target machine), rather than a remote repository as usual. This might sound more complicated than it really is, so let’s do the step by step dance.

如果您从未使用过VM，则安装过程会有些复杂，因此让我们对其进行分解。 假设我们有一台要安装OSQuery的Ubuntu 14.04计算机。 通常，您通过发出诸如apt-get install类的命令，通过诸如Aptitude之类的软件包管理器来安装软件。 但是，由于OSQuery尚未包含在这些类型的发行版的正式资料库中，因此我们需要手动构建该程序包，然后从本地位置进行安装(通过将.deb文件复制到目标计算机上)，而不是像往常一样是一个远程存储库。 这听起来可能比实际要复杂，所以让我们一步一步地跳舞。

1.克隆并打开OSQuery框 (1. Clone and Up the OSQuery box)

Make sure you have Git, Vagrant and Virtualbox installed on your main machine, and execute the following:

确保在主机上安装了Git，Vagrant和Virtualbox，然后执行以下操作：

git clone https://github.com/facebook/osquery
cd osquery
vagrant up ubuntu14

If your copy of Vagrant has an Ubuntu14 image downloaded from before, you should be up and running in a minute tops. Otherwise, it’ll download the image which might take a while, and then create the virtual machine.

如果您的Vagrant副本之前已下载过Ubuntu14映像，则您应该在一分钟之内就可以启动并运行。 否则，它将下载可能需要一段时间的映像，然后创建虚拟机。

2.在虚拟环境中构建 (2. Build in the Virtual Environment)

SSH into your VM with vagrant ssh. In our case, that’ll be

使用vagrant ssh SSH进入您的VM。 在我们的情况下，

vagrant ssh ubuntu14

Once inside, execute:

进入内部后，执行：

sudo su
cd /vagrant
./tools/provision.sh

Note that if you’re on Windows, the famous symlink error will rear its ugly head again. Just re-run the provision script after it fails to complete, and it should work. This is a strange hiccup that warrants further investigation, and I’ll post back if I find any real workarounds or if the issue is fixed.

请注意，如果您使用的是Windows，则著名的symlink错误将再次抬起其丑陋的头。 完成后，只需重新运行配置脚本即可，它应该可以工作。 这是一个奇怪的问题，需要进一步调查，如果我发现任何实际的解决方法或问题已解决，我会回发。

This will update the Ubuntu instance and download everything OSQuery needs to build itself. Then, we tell it to wrap itself into an installable package.

这将更新Ubuntu实例并下载OSQuery构建自身所需的所有内容。 然后，我们告诉它包装到一个可安装的程序包中。

make
make package

You should then be able to see the package in /vagrant/build/linux/osquery-0.0.1-trusty.amd64.deb.

然后，您应该可以在/vagrant/build/linux/osquery-0.0.1-trusty.amd64.deb看到该软件包。

3.安装OSQuery (3. Installing OSQuery)

To install this, we can use the default Debian Package Management System:

要安装它，我们可以使用默认的Debian软件包管理系统：

sudo dpkg -i osquery-0.0.1-trusty.amd64.deb

Installing it into any of your Ubuntu 14.04 machines is now as simple as copying the .deb file over, and running the above command. We can even install it into the very OS that built it.

现在将其安装到您的任何Ubuntu 14.04计算机中，就像复制.deb文件并运行上面的命令一样简单。 我们甚至可以将其安装到构建它的操作系统中。

If you need packages for other operating systems, the procedure is exactly the same with minimal alterations – just follow the instructions.

如果您需要用于其他操作系统的软件包，则过程完全相同，只需进行最小的改动–只需按照说明进行操作即可 。

5.使用OSQuery (5. Using OSQuery)

Let’s see if it works. Enter the interactive console by executing osqueryi. You should see something like this:

让我们看看它是否有效。 通过执行osqueryi进入交互式控制台。 您应该会看到以下内容：

Let’s see a test query. Paste the following into the console and execute it:

让我们来看一个测试查询。 将以下内容粘贴到控制台中并执行：

SELECT * FROM users;

You should see something like this happen:

您应该会看到类似的情况：

You can list all available tables by just executing .tables, all commands with .help and you can exit with .exit.

您可以仅通过执行.help列出所有可用的表，使用.help .tables所有命令， .help使用.exit退出。

恶意演员示例 (Malicious Actors Example)

As per their announcement post, the query:

根据他们的公告帖子，查询：

SELECT name, path, pid FROM processes WHERE on_disk = 0;

lists all processes of which the binary which launched them no longer exists on disk. Running a process and disappearing is a common approach of malicious actors, and if your system isn’t compromised, it shouldn’t return anything.

列出启动磁盘的二进制文件不再存在的所有进程。 运行进程并消失是恶意行为者的一种常见方法，并且如果您的系统没有受到损害，则它不应返回任何内容。

所有具有组的用户示例 (All Users with Groups Example)

SELECT u.uid, u.gid, u.username, g.name, u.description FROM users u LEFT JOIN groups g ON (u.gid = g. gid);

The above query will output all the users of the OS with their IDs, their groups and group names, and their descriptions.

上面的查询将输出操作系统的所有用户及其ID，组和组名及其描述。

查找所有空组 (Find all empty groups)

SELECT groups.gid, groups.name FROM groups LEFT JOIN users ON (groups.gid = users.gid) WHERE users.ui d IS NULL;

This query finds all the user groups of the OS that are empty – that no user belongs to.

此查询查找空的操作系统的所有用户组–没有用户属于。

These are all very simple examples, but you can already see how interaction between tables can reveal interesting information quickly and efficiently.

这些都是非常简单的示例，但是您已经了解了表之间的交互如何快速有效地显示有趣的信息。

结论 (Conclusion)

OSQuery is Facebook’s latest open source wonder – a way to expose the system level data with a relational-database-like API that lets us query our OS as if it were a pile of relational data. While useful for monitoring a server or a cluster of servers, this definitely has other applications as well – from malware detection to zombie process kills, you name it.

OSQuery是Facebook最新的开放源代码奇迹–一种使用类似于关系数据库的API公开系统级数据的方法，使我们可以像对待一堆关系数据一样查询我们的操作系统。 尽管它对于监视服务器或服务器集群很有用，但它肯定还有其他应用程序-从恶意软件检测到僵尸进程查杀，您都将其命名。

Have you thought of any unique uses? Want to write about them? Get in touch!

您有没有想到任何独特的用途？ 想写他们吗？ 保持联系！

翻译自: https://www.sitepoint.com/osquery-explore-os-sql/

sql注入操作系统