osquery 在主机侧用的还是离线（可以近实时）分析

安全监控规则在文件secrity.conf中，可自行修改，其中包含主要几项，query、interval、removed。
query: 查询的SQL语句
interval: 查询间隔，单位时间为秒
removed: 是否生成减少的记录
如：
"users": {
  "query" : "select * from users;",
  "interval" : 3600,
  "removed": false
}

https://github.com/grayddq/HIDS/blob/master/osquery/secrity.conf

 

{
  "queries": {
	////////////////////////////////以下为5分钟循环执行一次//////////////////
	//process_open_sockets 在系统上打开网络套接字的进程差异变化，同时过滤掉内网、自身出现socket的变化，
	//由于W机组的网络连接大于10W，会造成cpu 飙升到99%，故打算单独拎出来磁条规则，通过写shell名ss -an来执行
	"process_open_sockets": {
      "query" : "select * from process_open_sockets where remote_address != '127.0.0.1' and remote_address != '' and remote_address != '::' and remote_address not like '10.%' and remote_address != '0.0.0.0' and remote_address not like '172.16.%' and remote_address not like '192.168.%';",
      "interval" : 300,
	  "removed": false
    },
	//processes 主机系统上的所有正在运行的进程差异变化,
	//同时过滤一下经常出现的进程
	"processes": {
      "query" : "select pid,name,path,cmdline,cwd,root,uid,gid,parent from processes where name != 'nginx' and name != 'php-fpm' and name not like 'zabbix%';",
	  "interval" : 300,
	  "removed": false
    },
	/////////////////////////////////以下为1小时循环执行一次//////////////////
	//listening_ports 侦听（绑定）网络套接字/端口差异变化,
	//已过滤掉IPV6的侦听
	"listening_ports": {
      "query" : "select * from listening_ports where address != '::';",
      "interval" : 3600,
	  "removed": false
    },
	//arp缓存差异变化
	"arp_cache": {
      "query" : "select * from arp_cache;",
      "interval" : 3600,
	  "removed": false
    },
	//authorized_keys公钥差异变化
	"authorized_keys": {
      "query" : "select * from authorized_keys;",
      "interval" : 3600,
	  "removed": false
    },
	//crontab定时任务差异变化
	"crontab": {
      "query" : "select * from crontab;",
      "interval" : 3600,
	  "removed": false
    },
	//DNS映射表差异变化
	"dns_resolvers": {
      "query" : "select * from dns_resolvers;",
      "interval" : 3600,
	  "removed": false
    },
	//etc_hosts信息差异变化
	"etc_hosts": {
      "query" : "select * from etc_hosts;",
      "interval" : 3600,
	  "removed": false
    },
	//etc_services 差异变化
	"etc_services": {
      "query" : "select * from etc_services;",
      "interval" : 3600,
	  "removed": false
    },
	//groups 本地系统组差异变化
	"groups": {
      "query" : "select * from groups;",
      "interval" : 3600,
	  "removed": false
    },
	//iptables 防火墙差异变化
	"iptables": {
      "query" : "select * from iptables;",
      "interval" : 3600,
	  "removed": false
    },
	//last 系统登录和登出差异变化
	"last": {
      "query" : "select * from last where host != '' and username != '';",
      "interval" : 3600,
	  "removed": true
    },
	//routes 主机系统的主动路由表差异变化,去掉ipv6
	"routes": {
      "query" : "select * from routes where destination not like '%:%';",
      "interval" : 3600,
	  "removed": false
    },
	//startup_items 应用程序和二进制文件设置为用户/登录启动项,差异变化
	"startup_items": {
      "query" : "select * from startup_items;",
      "interval" : 3600,
	  "removed": false
    },
	//sudoers 通过sudo作为其他用户运行命令的规则差异变化
	"sudoers": {
      "query" : "select * from sudoers;",
      "interval" : 3600,
	  "removed": false
    },
	//usb_devices 主动插入主机系统的USB设备差异变化
	"usb_devices": {
      "query" : "select * from usb_devices;",
      "interval" : 3600,
	  "removed": false
    },
	//user_groups 本地系统用户组关系差异变化
	"user_groups": {
      "query" : "select * from user_groups;",
      "interval" : 3600,
	  "removed": false
    },
	//users 用户差异变化
	"users": {
      "query" : "select * from users;",
      "interval" : 3600,
	  "removed": false
    }
  }
}