In this post I am going to explore the tool OSquery. Goodbye deponia achievements. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. Driftland: the magic revival for mac. Run or fight soundtrack for mac. It is a tool that is used by system administrators, incident responders, and ole mighty threat hunters. However, in this post I will not be posting how to use OSquery for threat hunting. I hope to utilize the tool in my environment and write a later post :).
- Soban Fleet Pack Download For Mac Os
- Soban Fleet Pack Download For Macbook Pro
- Soban Fleet Pack Download For Mac Windows 10
- Soban Fleet Pack Download For Mac Download
Soban Fleet Pack Kiith Soban are a highly respected force within the Northern Coalition. Although their tactical prowess is renowned, it is their ability to leverage advanced military technologies to deliver devastating long-range attacks, disrupt enemy movements, and manipulate the battlefield that has made them one of the most effective. In order to save as many pets as possible, you are going to need to play Pet Rescue Saga on PC or Mac. Click the link at the top of this page to begin your automatic download and install process. Once finished, you will be able to surf the Google Play store and install any of your favorite apps. Installation is easy.
Terms
- Node– A single machine
- Fleet – All the machines controlled and owned by an enterprise
- Queries – A query runs a set of tasks on fleet of machines on a specified interval
- Distributed – An on the fly query
- Packs – OSquery query packs are groups of queries to be added to the OSquery schedule
Install/Setup Doorman on CentOS 7 64-bit with Docker
Install/Setup NTPd on Centos
- yum install ntp ntpdate ntp-doc -y
- systemctl enable ntpd
- systemctl start ntpd
- ntpdate pool.ntp.org || true
Install/Setup Postgres and Redis
Install/Setup Postgres database
- yum update -y && yum upgrade -y
- rpm -Uvh https://yum.postgresql.org/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm
- yum install postgresql96-server postgresql96 -y
- MUST install Postgresql 9.4 or later
- /usr/pgsql-9.6/bin/postgresql96-setup initdb
sed -i 's#host all all 127.0.0.1/32 ident#host all all 127.0.0.1/32 md5#'g /var/lib/pgsql/9.6/data/pg_hba.conf
- systemctl enable postgresql-9.6.service
- systemctl start postgresql-9.6.service
- su – postgres
- psql
- CREATE ROLE doorman WITH LOGIN PASSWORD ‘';
- password can NOT contain '@' or '#'
- CREATE DATABASE doorman;
- ALTER DATABASE doorman OWNER TO doorman;
- GRANT ALL PRIVILEGES ON DATABASE doorman TO doorman;
- q
- CREATE ROLE doorman WITH LOGIN PASSWORD ‘';
- exit
- psql -U doorman -h 127.0.0.1 -d doorman -W
- Test to make sure you can connect as doorman user on postgres
- useradd doorman
Soban Fleet Pack Download For Mac Os
Install/Setup Redis
- yum install redis -y
- systemctl enable redis
- systemctl start redis
Install/Setup Doorman
- yum install python-pip python-devel libffi-devel gcc postgresql-devel npm -y
- For Centos 7.3:
rpm -ivh https://kojipkgs.fedoraproject.org//packages/http-parser/2.7.1/3.el7/x86_64/http-parser-2.7.1-3.el7.x86_64.rpm && yum -y install nodejs
- For Centos 7.3:
- pip install –upgrade pip
- cd /opt
- git clone https://github.com/mwielgoszewski/doorman.git
- cd doorman
- pip install virtualenv
- virtualenv env
- source env/bin/activate
- pip install -r requirements.txt
- chown doorman:doorman -R /opt/doorman
- vim doorman/settings.py
- scroll to 'class ProdConfig(Config):'
SQLALCHEMY_DATABASE_URI = 'postgresql://doorman:@127.0.0.1:5432/doorman'
DOORMAN_ENROLL_SECRET = ['']
BROKER_URL = 'redis://localhost:6379/0'
CELERY_RESULT_BACKEND = 'redis://localhost:6379/0'
- scroll to 'class ProdConfig(Config):'
- mkdir /var/log/doorman
- chown doorman:doorman -R /var/log/doorman
- export DOORMAN_ENV=prod
- Set this variable in /etc/profile to be permanent
- su – doorman -c 'cd /opt/doorman; source env/bin/activate; python manage.py db upgrade'
- npm install bower -g
- bower install
- npm install -g less
Install/Setup Nginx + WSGI/Flask + OpenSSL
Install/Setup Nginx and OpennSSL
- yum install nginx -y
- mkdir /etc/nginx/ssl
- openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/private.key -out /etc/nginx/ssl/certificate.crt
- sed -i -e ‘38,87d' /etc/nginx/nginx.conf
cat > /etc/nginx/conf.d/osquery.conf <server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}server {
listen 443 ssl;
server_name _;ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;location / {
include uwsgi_params;
uwsgi_pass unix:/opt/doorman/doorman.sock;
}
}
EOF
Install/Setup WSGI and Flask
- cd /opt/doorman
- pip install uwsgi flask
cat > doorman.ini << EOF
[uwsgi]
master = true
processes = 5
home = env
wsgi-file = manage.py
callable = app
socket = doorman.sock
chmod-socket = 660
vacuum = true
die-on-term = true
smart-attach-daemon = /opt/doorman/celery.pid celery worker -A doorman.worker:celery --pidfile=/opt/doorman/celery.pid
env = DOORMAN_ENV=prod
EOFcat > /etc/systemd/system/doorman.service << EOF
[Unit]
Description=uWSGI instance to serve Doorman
After=network.target[Service]
User=doorman
Group=nginx
WorkingDirectory=/opt/doorman
Environment='PATH=/opt/doorman/env/bin:/usr/bin'
ExecStart=/opt/doorman/env/bin/uwsgi --ini doorman.ini[Install]
WantedBy=multi-user.target
EOF- systemctl enable doorman
- systemctl start doorman
- systemctl enable nginx
- systemctl start nginx
- setsebool httpd_can_network_connect 1 -P
Install/Setup FirewallD
- yum install firewalld -y
- systemctl start firewalld
- systemctl enable firewalld
- firewall-cmd –zone=public –permanent –add-service=http
- firewall-cmd –zone=public –permanent –add-service=https
- firewall-cmd –zone=public –permanent –add-service=ssh
- firewall-cmd –reload
Accessing Doorman
- Browse to 'https:///manage
Install/Setup OSQuery on CentOS 7 Server 64-bit
- yum update -y && yum upgrade -y
- yum install yum-utils -y
- curl https://s3.amazonaws.com/osquery-packages/rpm/RPM-GPG-KEY-osquery | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
- yum install install yum-utils -y
- yum-config-manager –add-repo https://s3.amazonaws.com/osquery-packages/rpm/osquery-s3-rpm.repo
- yum-config-manager –enable osquery-s3-rpm
- yum install osquery -y
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM >/etc/osquery/certificate.crt
cat > /etc/osquery/osquery.flags << 'EOF'
--host_identifier=uuid
--config_plugin=tls
--config_tls_endpoint=/config
--config_tls_refresh=10
--config_tls_max_attempts=3
--enroll_tls_endpoint=/enroll
--enroll_secret_path=/etc/osquery/osquery.key
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/distributed/read
--distributed_tls_write_endpoint=/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/log
--logger_tls_period=5
--tls_hostname=:443
--tls_server_certs=/etc/osquery/certificate.crt
--log_result_events=false
--pack_delimiter=/
--utc
--verbose
EOFcat > /etc/osquery/osquery.key << 'EOF'
EOF- systemctl enable osqueryd
- systemctl start osqueryd
- Browse to 'https://:443/manage/nodes' to confirm node was added
Install/Setup OSQuery on Ubuntu 16.04 64-bit
- sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
- sudo add-apt-repository 'deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/deb deb main'
- sudo apt-get update -y
- sudo apt-get install osquery -y
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM | sudo tee /etc/osquery/certificate.crt
cat << EOF | sudo tee/etc/osquery/osquery.flags
--host_identifier=uuid
--config_plugin=tls
--config_tls_endpoint=/config
--config_tls_refresh=10
--config_tls_max_attempts=3
--enroll_tls_endpoint=/enroll
--enroll_secret_path=/etc/osquery/osquery.key
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/distributed/read
--distributed_tls_write_endpoint=/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/log
--logger_tls_period=5
--tls_hostname=:443
--tls_server_certs=/etc/osquery/certificate.crt
--log_result_events=false
--pack_delimiter=/
--utc
--verbose
EOFcat << EOF | sudo tee /etc/osquery/osquery.key
EOF- sudo systemctl enable osqueryd
- sudo systemctl start osqueryd
![Soban Fleet Pack Download For Mac Soban Fleet Pack Download For Mac](https://img.youtube.com/vi/Q0qwJNXSW1E/hqdefault.jpg)
Install/Setup OSQuery on Mac OSX
- brew update
- brew install osquery
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM | sudo tee /var/osquery/certificate.crt
- rm -rf /var/osquery/osquery.example.conf
cat << EOF | sudo tee /var/osquery/osquery.flags
--host_identifier=uuid
--config_plugin=tls
--config_tls_endpoint=/config
--config_tls_refresh=10
--config_tls_max_attempts=3
--enroll_tls_endpoint=/enroll
--enroll_secret_path=/var/osquery/osquery.key
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/distributed/read
--distributed_tls_write_endpoint=/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/log
--logger_tls_period=5
--tls_hostname=:443
--tls_server_certs=/var/osquery/certificate.crt
--log_result_events=false
--pack_delimiter=/
--utc
--verbose
EOFcat << EOF | sudo tee /var/osquery/osquery.key
EOF- sudo cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons/
- sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
- sudo launchctl start /Library/LaunchDaemons/com.facebook.osqueryd.plist
Install/Setup OSQuery on Windows
Install/Setup Choclately the package manager for Windows
- Open Powershell as an Administrator
- Set-ExecutionPolicy RemoteSigned
- Copy certificate.pem from Doorman server to Windows
- Copy and Paste:
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
- Close Powershell and re-open as Administrator
choco install osquery --params='/InstallService'
- This will install OSquery as a Windows service
$config = '
--host_identifier=uuid`r`n
--config_plugin=tls`r`n
--config_tls_endpoint=/config`r`n
--config_tls_refresh=10`r`n
--config_tls_max_attempts=3`r`n
--enroll_tls_endpoint=/enroll`r`n
--enroll_secret_path=C:ProgramDataosqueryosquery.key`r`n
--disable_distributed=false`r`n
--distributed_plugin=tls`r`n
--distributed_interval=10`r`n
--distributed_tls_max_attempts=3`r`n
--distributed_tls_read_endpoint=/distributed/read`r`n
--distributed_tls_write_endpoint=/distributed/write`r`n
--logger_plugin=tls`r`n
--logger_tls_endpoint=/log`r`n
--logger_tls_period=5`r`n
--tls_hostname=:443`r`n
--tls_server_certs=C:ProgramDataosquerycertificate.crt`r`n
--log_result_events=false`r`n
--pack_delimiter=/`r`n
--utc`r`n
--verbose`r`n'- $config | Out-File -FilePath C:Program Dataosqueryosquery.flags
- Start-service osqueryd
- Get-Service | Where-Object {$_.name -eq 'osqueryd'}
Setup LDAP/local user authentication
Local authentication
- cd /opt/doorman
- vim doorman/settings.py
- Add
DOORMAN_AUTH_METHOD = 'doorman'
to 'Class ProcConfig():' section - save, exit
- Add
- systemctl restart doorman
- python manage adduser –email [email protected] test
- Enter password for user
- Browse to 'http:///manage'
- Enter login credentials from above and select 'Login'
LDAP authentication
- cd /opt/doorman
- vim doorman/settings.py
- Add
DOORMAN_AUTH_METHOD = 'ldap'
to 'Class ProcConfig():' section - Then scroll up to the LDAP section and set your settings. The settings below are a basic setup for Freeipa
LDAP_HOST = ''
LDAP_PORT = 636
LDAP_USE_SSL = True
LDAP_BASE_DN = 'cn=users,cn=accounts,dc=,dc=' - save, exit
- Add
- systemctl restart doorman
- Browse to 'http:///manage'
- Enter LDAP credentials and select 'Login'
Add OSQuery packs
![Soban Fleet Pack Download For Mac Soban Fleet Pack Download For Mac](https://steamcdn-a.akamaihd.net/steam/apps/433242/ss_a421168dbe2177dd1e9dca181dabc3cce0d0f587.1920x1080.jpg?t=1466527238)
Setup new pack
- Browse to 'https://github.com/facebook/osquery/tree/master/packs'
- For our example we will install the 'hardware-monitoring.conf' pack
- Download the hardware-monitoring.conf
- Login into Doorman and select 'Packs' at the top
- Select 'Choose file' and select the pack on disk
- Select 'Update Query Pack'
Distributed scans
- Login into Doorman and select 'Add' then 'Distributed'
- Enter '
SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid;
into Query- For more information about queries look here
- Select specific nodes in the node section
- Select specific tags to scan a set of nodes with a particular tag
- If you select nothing from above it will scan everything
- Select 'Add distributed query'
Soban Fleet Pack Download For Macbook Pro
Interval scans
Soban Fleet Pack Download For Mac Windows 10
![Soban Fleet Pack Download For Mac Soban Fleet Pack Download For Mac](http://496bggz4ark3ubkj71823w5t.wpengine.netdna-cdn.com/wp-content/uploads/2016/03/Deserts-of-Kharak-Soban-Fleet-Pack-Carrier-BBI.jpg)
Install/Setup OSQuery on Mac OSX
- brew update
- brew install osquery
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM | sudo tee /var/osquery/certificate.crt
- rm -rf /var/osquery/osquery.example.conf
cat << EOF | sudo tee /var/osquery/osquery.flags
--host_identifier=uuid
--config_plugin=tls
--config_tls_endpoint=/config
--config_tls_refresh=10
--config_tls_max_attempts=3
--enroll_tls_endpoint=/enroll
--enroll_secret_path=/var/osquery/osquery.key
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/distributed/read
--distributed_tls_write_endpoint=/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/log
--logger_tls_period=5
--tls_hostname=:443
--tls_server_certs=/var/osquery/certificate.crt
--log_result_events=false
--pack_delimiter=/
--utc
--verbose
EOFcat << EOF | sudo tee /var/osquery/osquery.key
EOF- sudo cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons/
- sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
- sudo launchctl start /Library/LaunchDaemons/com.facebook.osqueryd.plist
Install/Setup OSQuery on Windows
Install/Setup Choclately the package manager for Windows
- Open Powershell as an Administrator
- Set-ExecutionPolicy RemoteSigned
- Copy certificate.pem from Doorman server to Windows
- Copy and Paste:
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
- Close Powershell and re-open as Administrator
choco install osquery --params='/InstallService'
- This will install OSquery as a Windows service
$config = '
--host_identifier=uuid`r`n
--config_plugin=tls`r`n
--config_tls_endpoint=/config`r`n
--config_tls_refresh=10`r`n
--config_tls_max_attempts=3`r`n
--enroll_tls_endpoint=/enroll`r`n
--enroll_secret_path=C:ProgramDataosqueryosquery.key`r`n
--disable_distributed=false`r`n
--distributed_plugin=tls`r`n
--distributed_interval=10`r`n
--distributed_tls_max_attempts=3`r`n
--distributed_tls_read_endpoint=/distributed/read`r`n
--distributed_tls_write_endpoint=/distributed/write`r`n
--logger_plugin=tls`r`n
--logger_tls_endpoint=/log`r`n
--logger_tls_period=5`r`n
--tls_hostname=:443`r`n
--tls_server_certs=C:ProgramDataosquerycertificate.crt`r`n
--log_result_events=false`r`n
--pack_delimiter=/`r`n
--utc`r`n
--verbose`r`n'- $config | Out-File -FilePath C:Program Dataosqueryosquery.flags
- Start-service osqueryd
- Get-Service | Where-Object {$_.name -eq 'osqueryd'}
Setup LDAP/local user authentication
Local authentication
- cd /opt/doorman
- vim doorman/settings.py
- Add
DOORMAN_AUTH_METHOD = 'doorman'
to 'Class ProcConfig():' section - save, exit
- Add
- systemctl restart doorman
- python manage adduser –email [email protected] test
- Enter password for user
- Browse to 'http:///manage'
- Enter login credentials from above and select 'Login'
LDAP authentication
- cd /opt/doorman
- vim doorman/settings.py
- Add
DOORMAN_AUTH_METHOD = 'ldap'
to 'Class ProcConfig():' section - Then scroll up to the LDAP section and set your settings. The settings below are a basic setup for Freeipa
LDAP_HOST = ''
LDAP_PORT = 636
LDAP_USE_SSL = True
LDAP_BASE_DN = 'cn=users,cn=accounts,dc=,dc=' - save, exit
- Add
- systemctl restart doorman
- Browse to 'http:///manage'
- Enter LDAP credentials and select 'Login'
Add OSQuery packs
Setup new pack
- Browse to 'https://github.com/facebook/osquery/tree/master/packs'
- For our example we will install the 'hardware-monitoring.conf' pack
- Download the hardware-monitoring.conf
- Login into Doorman and select 'Packs' at the top
- Select 'Choose file' and select the pack on disk
- Select 'Update Query Pack'
Distributed scans
- Login into Doorman and select 'Add' then 'Distributed'
- Enter '
SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid;
into Query- For more information about queries look here
- Select specific nodes in the node section
- Select specific tags to scan a set of nodes with a particular tag
- If you select nothing from above it will scan everything
- Select 'Add distributed query'
Soban Fleet Pack Download For Macbook Pro
Interval scans
Soban Fleet Pack Download For Mac Windows 10
Soban Fleet Pack Download For Mac Download
- Select 'Add' then 'Query'
- Enter 'Get all listening ports' for name
- Enter 'select * from listening_ports'
- Enter '3600' for interval
- The interval is in seconds
- Select 'All' for platforms
- Select a hardware pack to run but for this scan we will not
- Select specific tags to scan a set of nodes with a particular tag
- Select 'Add query'