Skill

deploying-osquery-for-endpoint-monitoring

Deploys and configures osquery for SQL-based endpoint monitoring of processes, open ports, installed software, and system configs on Windows, macOS, Linux. For fleet visibility, threat hunting, and compliance.

Bash

Linux

security

monitoring

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

在以下情况下使用本技能：

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

deploying-osquery-for-endpoint-monitoring

5.9k

Deploys and configures osquery across Linux, Windows, macOS for SQL-based endpoint monitoring of processes, ports, software, and config. For threat hunting, fleet visibility, compliance checks.

7 files

cybersecurity-skills

deploying-osquery-for-endpoint-monitoring

Deploys and configures osquery across Linux, Windows, macOS for SQL-based endpoint monitoring of processes, ports, software, and system config. For threat hunting, fleet visibility, compliance.

asi

implementing-osquery-for-endpoint-monitoring

Deploys osquery scheduled queries for endpoint monitoring of processes, network connections, file integrity, and persistence mechanisms. Generates osquery.conf, configures logging, analyzes results for suspicious processes, unauthorized ports, and file changes.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

部署 osquery 进行端点监控

使用场景

在以下情况下使用本技能：

在 Windows、macOS 和 Linux 端点上部署 osquery 以实现全部署范围的可见性
使用 osquery 的 SQL 接口构建威胁狩猎查询
监控端点合规性（已安装软件、开放端口、运行服务）
将 osquery 数据与 SIEM 或 Kolide/Fleet 集成以进行集中管理

不适用于实时告警（osquery 是周期性/按需查询；实时检测请使用 EDR）。

前置条件

适用于目标操作系统的 osquery 包（https://osquery.io/downloads）
用于企业部署的 Fleet 管理服务器（Kolide Fleet 或 FleetDM）
用于代理到服务器安全通信的 TLS 证书
用于 osquery 结果日志的日志聚合管道（Filebeat、Fluentd）

操作流程

步骤 1：安装 osquery

# Ubuntu/Debian
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY
add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
apt-get update && apt-get install osquery -y

# Windows（MSI）
# 从 https://osquery.io/downloads/official 下载
msiexec /i osquery-5.12.1.msi /quiet

# macOS
brew install osquery

步骤 2：配置 osquery

// /etc/osquery/osquery.conf（Linux/macOS）或 C:\ProgramData\osquery\osquery.conf
{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "disable_logging": "false",
    "schedule_splay_percent": "10",
    "events_expiry": "3600",
    "verbose": "false",
    "worker_threads": "2",
    "enable_monitor": "true",
    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "host_identifier": "hostname",
    "enable_syslog": "true"
  },
  "schedule": {
    "process_monitor": {
      "query": "SELECT pid, name, path, cmdline, uid, parent FROM processes WHERE on_disk = 0;",
      "interval": 300,
      "description": "检测无磁盘二进制文件运行的进程（无文件恶意软件）"
    },
    "listening_ports": {
      "query": "SELECT DISTINCT p.name, p.path, lp.port, lp.protocol, lp.address FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0;",
      "interval": 600,
      "description": "监控监听的网络端口"
    },
    "persistence_check": {
      "query": "SELECT name, path, source FROM startup_items;",
      "interval": 3600,
      "description": "监控持久化机制"
    },
    "installed_packages": {
      "query": "SELECT name, version, source FROM deb_packages;",
      "interval": 86400,
      "description": "每日软件清单"
    },
    "users_and_groups": {
      "query": "SELECT u.username, u.uid, u.gid, u.shell, u.directory FROM users u WHERE u.uid >= 1000;",
      "interval": 3600
    },
    "crontab_monitor": {
      "query": "SELECT * FROM crontab;",
      "interval": 3600,
      "description": "监控计划任务"
    },
    "suid_binaries": {
      "query": "SELECT path, username, permissions FROM suid_bin;",
      "interval": 86400,
      "description": "检测 SUID 二进制文件"
    }
  },
  "packs": {
    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf"
  }
}

步骤 3：威胁狩猎查询

-- 检测无磁盘二进制文件运行的进程（潜在的无文件恶意软件）
SELECT pid, name, path, cmdline FROM processes WHERE on_disk = 0;

-- 查找与已知服务无关的监听端口
SELECT lp.port, lp.protocol, p.name, p.path
FROM listening_ports lp JOIN processes p ON lp.pid = p.pid
WHERE lp.port NOT IN (22, 80, 443, 3306, 5432);

-- 检测未经授权的 SSH 密钥
SELECT * FROM authorized_keys WHERE NOT key LIKE '%admin-team%';

-- 查找最近修改的系统二进制文件
SELECT path, mtime, size FROM file
WHERE path LIKE '/usr/bin/%' AND mtime > (strftime('%s', 'now') - 86400);

-- 检测连接到外部 IP 的进程
SELECT DISTINCT p.name, p.path, pn.remote_address, pn.remote_port
FROM process_open_sockets pn JOIN processes p ON pn.pid = p.pid
WHERE pn.remote_address NOT LIKE '10.%'
  AND pn.remote_address NOT LIKE '172.16.%'
  AND pn.remote_address NOT LIKE '192.168.%'
  AND pn.remote_address != '127.0.0.1'
  AND pn.remote_address != '0.0.0.0';

-- Windows：检测运行中的未签名可执行文件
SELECT p.name, p.path, a.result AS signature_status
FROM processes p JOIN authenticode a ON p.path = a.path
WHERE a.result != 'trusted';

步骤 4：部署 FleetDM 进行集中管理

# FleetDM 提供集中化的 osquery 管理
# 部署 FleetDM 服务器，配置代理向其上报
# 代理使用 TLS 注册并从 Fleet 获取配置

# 代理连接 Fleet 的配置：
# --tls_hostname=fleet.corp.com
# --tls_server_certs=/etc/osquery/fleet.pem
# --enroll_secret_path=/etc/osquery/enroll_secret

关键概念

术语	定义
osquery	开源端点代理，将操作系统状态暴露为可查询的 SQL 数据表
Schedule（计划）	按定义间隔运行并记录结果的周期性查询
Pack（包）	为特定使用场景（IR、合规）分组的相关查询集合
FleetDM	开源 osquery 部署管理平台
差异结果	osquery 只记录查询执行之间的变更，减少数据量

工具与系统

osquery：https://osquery.io/ - 端点可见性代理
FleetDM：https://fleetdm.com/ - 集中化部署管理
Kolide：基于云的 osquery 管理，带 Slack 集成
osquery-go：用于 osquery 扩展的 Go 客户端库

常见误区

查询性能问题：包含大型表扫描的复杂查询会影响端点性能。使用 WHERE 子句并用 EXPLAIN 测试查询开销。
计划间隔太激进：每 60 秒运行繁重查询会导致 CPU 峰值。大多数查询使用 300-3600 秒间隔。
未使用差异模式：不使用差异日志记录时，osquery 每次间隔都会记录所有结果。差异模式只记录变更。
缺少事件数据表：某些 osquery 数据表需要启用事件框架（process_events、socket_events）。使用 --disable_events=false 启用。