この記事は約113分35秒で読むことができます。

osquery install docker

https://osquery.io/docs/tables/

[oracle@centos7 ~]$ docker exec --interactive --tty --user root --workdir / orcl_12cr2 bash
bash-4.2# whoami
root
bash-4.2# yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
Loaded plugins: ovl
osquery-s3-centos7-repo-1-0.0.noarch.rpm                                                                                       | 5.7 kB  00:00:00     
Examining /var/tmp/yum-root-e42ejR/osquery-s3-centos7-repo-1-0.0.noarch.rpm: osquery-s3-centos7-repo-1-0.0.noarch
Marking /var/tmp/yum-root-e42ejR/osquery-s3-centos7-repo-1-0.0.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package osquery-s3-centos7-repo.noarch 0:1-0.0 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================
 Package                                  Arch                    Version                Repository                                              Size
======================================================================================================================================================
Installing:
 osquery-s3-centos7-repo                  noarch                  1-0.0                  /osquery-s3-centos7-repo-1-0.0.noarch                  3.2 k

Transaction Summary
======================================================================================================================================================
Install  1 Package

Total size: 3.2 k
Installed size: 3.2 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : osquery-s3-centos7-repo-1-0.0.noarch                                                                                               1/1 
  Verifying  : osquery-s3-centos7-repo-1-0.0.noarch                                                                                               1/1 

Installed:
  osquery-s3-centos7-repo.noarch 0:1-0.0                                                                                                              

Complete!
bash-4.2# yum -y install osquery
Loaded plugins: ovl
ol7_UEKR4                                                                                                                      | 1.2 kB  00:00:00     
ol7_latest                                                                                                                     | 1.4 kB  00:00:00     
osquery-s3-centos7-repo                                                                                                        |  951 B  00:00:00     
osquery-s3-centos7-repo/x86_64/primary                                                                                         | 6.7 kB  00:00:01     
osquery-s3-centos7-repo                                                                                                                         69/69
Resolving Dependencies
--> Running transaction check
---> Package osquery.x86_64 0:3.2.6-1.linux will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================
 Package                       Arch                         Version                               Repository                                     Size
======================================================================================================================================================
Installing:
 osquery                       x86_64                       3.2.6-1.linux                         osquery-s3-centos7-repo                       8.0 M

Transaction Summary
======================================================================================================================================================
Install  1 Package

Total download size: 8.0 M
Installed size: 23 M
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/osquery-s3-centos7-repo/packages/osquery-3.2.6-1.linux.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b: NOKEY
Public key for osquery-3.2.6-1.linux.x86_64.rpm is not installed
osquery-3.2.6-1.linux.x86_64.rpm                                                                                               | 8.0 MB  00:00:21     
Retrieving key from file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
Importing GPG key 0xC9D8B80B:
 Userid     : "osquery (osquery) "
 Fingerprint: 1484 120a c4e9 f8a1 a577 aeee 97a8 0c63 c9d8 b80b
 Package    : osquery-s3-centos7-repo-1-0.0.noarch (installed)
 From       : /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : osquery-3.2.6-1.linux.x86_64                                                                                                       1/1 
  Verifying  : osquery-3.2.6-1.linux.x86_64                                                                                                       1/1 

Installed:
  osquery.x86_64 0:3.2.6-1.linux                                                                                                                      

Complete!
bash-4.2# 

bash-4.2# osqueryi
Using a virtual database. Need help, type '.help'
osquery> .help
Welcome to the osquery shell. Please explore your OS!
You are connected to a transient 'in-memory' virtual database.

.all [TABLE]     Select all from a table
.bail ON|OFF     Stop after hitting an error
.echo ON|OFF     Turn command echo on or off
.exit            Exit this program
.features        List osquery's features and their statuses
.headers ON|OFF  Turn display of headers on or off
.help            Show this message
.mode MODE       Set output mode where MODE is one of:
                   csv      Comma-separated values
                   column   Left-aligned columns see .width
                   line     One value per line
                   list     Values delimited by .separator string
                   pretty   Pretty printed SQL results (default)
.nullvalue STR   Use STRING in place of NULL values
.print STR...    Print literal STRING
.quit            Exit this program
.schema [TABLE]  Show the CREATE statements
.separator STR   Change separator used by output mode
.socket          Show the osquery extensions socket path
.show            Show the current values for various settings
.summary         Alias for the show meta command
.tables [TABLE]  List names of tables
.width [NUM1]+   Set column widths for "column" mode
.timer ON|OFF      Turn the CPU timer measurement on or off
osquery> 

osquery> select name,version from os_version;
+---------------------------------+-----------------------------------------------------+
| name                            | version                                             |
+---------------------------------+-----------------------------------------------------+
| Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server release 7.6 (Maipo) |
+---------------------------------+-----------------------------------------------------+
osquery> 


osquery> select hostname, cpu_brand, hardware_vendor, hardware_model from system_info; 
+--------------+----------------------------------------+-----------------+----------------+
| hostname     | cpu_brand                              | hardware_vendor | hardware_model |
+--------------+----------------------------------------+-----------------+----------------+
| 609a69bc0b21 | Intel(R) Celeron(R) CPU B800 @ 1.50GHz |                 |                |
+--------------+----------------------------------------+-----------------+----------------+
osquery> 


osquery> select * from users;
+-------+-------+------------+------------+-----------------+----------------------------+------------------+----------------+------+
| uid   | gid   | uid_signed | gid_signed | username        | description                | directory        | shell          | uuid |
+-------+-------+------------+------------+-----------------+----------------------------+------------------+----------------+------+
| 0     | 0     | 0          | 0          | root            | root                       | /root            | /bin/bash      |      |
| 1     | 1     | 1          | 1          | bin             | bin                        | /bin             | /sbin/nologin  |      |
| 2     | 2     | 2          | 2          | daemon          | daemon                     | /sbin            | /sbin/nologin  |      |
| 3     | 4     | 3          | 4          | adm             | adm                        | /var/adm         | /sbin/nologin  |      |
| 4     | 7     | 4          | 7          | lp              | lp                         | /var/spool/lpd   | /sbin/nologin  |      |
| 5     | 0     | 5          | 0          | sync            | sync                       | /sbin            | /bin/sync      |      |
| 6     | 0     | 6          | 0          | shutdown        | shutdown                   | /sbin            | /sbin/shutdown |      |
| 7     | 0     | 7          | 0          | halt            | halt                       | /sbin            | /sbin/halt     |      |
| 8     | 12    | 8          | 12         | mail            | mail                       | /var/spool/mail  | /sbin/nologin  |      |
| 11    | 0     | 11         | 0          | operator        | operator                   | /root            | /sbin/nologin  |      |
| 12    | 100   | 12         | 100        | games           | games                      | /usr/games       | /sbin/nologin  |      |
| 14    | 50    | 14         | 50         | ftp             | FTP User                   | /var/ftp         | /sbin/nologin  |      |
| 99    | 99    | 99         | 99         | nobody          | Nobody                     | /                | /sbin/nologin  |      |
| 192   | 192   | 192        | 192        | systemd-network | systemd Network Management | /                | /sbin/nologin  |      |
| 81    | 81    | 81         | 81         | dbus            | System message bus         | /                | /sbin/nologin  |      |
| 32    | 32    | 32         | 32         | rpc             | Rpcbind Daemon             | /var/lib/rpcbind | /sbin/nologin  |      |
| 29    | 29    | 29         | 29         | rpcuser         | RPC Service User           | /var/lib/nfs     | /sbin/nologin  |      |
| 65534 | 65534 | 65534      | 65534      | nfsnobody       | Anonymous NFS User         | /var/lib/nfs     | /sbin/nologin  |      |
| 54321 | 54321 | 54321      | 54321      | oracle          |                            | /home/oracle     | /bin/bash      |      |
+-------+-------+------------+------------+-----------------+----------------------------+------------------+----------------+------+
osquery> 


osquery> select * from cpu_time; 
+------+---------+-------+---------+----------+--------+-----+---------+-------+-------+------------+
| core | user    | nice  | system  | idle     | iowait | irq | softirq | steal | guest | guest_nice |
+------+---------+-------+---------+----------+--------+-----+---------+-------+-------+------------+
| 0    | 1579161 | 10306 | 1155039 | 17294224 | 20470  | 0   | 8705    | 0     | 0     | 0          |
| 1    | 1628500 | 23079 | 1157443 | 52210    | 248    | 0   | 5020    | 0     | 0     | 0          |
+------+---------+-------+---------+----------+--------+-----+---------+-------+-------+------------+
osquery> 


osquery> select * from crontab;
+-------+--------+------+--------------+-------+-------------+---------------------------------+---------------------+
| event | minute | hour | day_of_month | month | day_of_week | command                         | path                |
+-------+--------+------+--------------+-------+-------------+---------------------------------+---------------------+
|       | 01     | *    | *            | *     | *           | root run-parts /etc/cron.hourly | /etc/cron.d/0hourly |
|       | */10   | *    | *            | *     | *           | root /usr/lib64/sa/sa1 1 1      | /etc/cron.d/sysstat |
|       | 53     | 23   | *            | *     | *           | root /usr/lib64/sa/sa2 -A       | /etc/cron.d/sysstat |
+-------+--------+------+--------------+-------+-------------+---------------------------------+---------------------+
osquery> 



osquery> select * from process_events;
W1226 11:58:28.851143 28937 virtual_table.cpp:565] Table process_events is event-based but events are disabled
W1226 11:58:28.851416 28937 virtual_table.cpp:572] Please see the table documentation: https://osquery.io/schema/#process_events
osquery> select * from routes;
+-----------------+---------+------------+------------+-------+-----------+-----+--------+-----------+
| destination     | netmask | gateway    | source     | flags | interface | mtu | metric | type      |
+-----------------+---------+------------+------------+-------+-----------+-----+--------+-----------+
| 0.0.0.0         | 0       | 172.17.0.1 |            | 0     | eth0      | 0   | 0      | gateway   |
| 172.17.0.0      | 16      |            | 172.17.0.2 | 0     | eth0      | 0   | 0      | gateway   |
| 127.0.0.0       | 0       |            | 127.0.0.1  | 0     | lo        | 0   | 0      | broadcast |
| 127.0.0.0       | 8       |            | 127.0.0.1  | 0     | lo        | 0   | 0      | local     |
| 127.0.0.1       | 0       |            | 127.0.0.1  | 0     | lo        | 0   | 0      | local     |
| 127.255.255.255 | 0       |            | 127.0.0.1  | 0     | lo        | 0   | 0      | broadcast |
| 172.17.0.0      | 0       |            | 172.17.0.2 | 0     | eth0      | 0   | 0      | broadcast |
| 172.17.0.2      | 0       |            | 172.17.0.2 | 0     | eth0      | 0   | 0      | local     |
| 172.17.255.255  | 0       |            | 172.17.0.2 | 0     | eth0      | 0   | 0      | broadcast |
| 0.0.0.0         | 0       |            |            | 0     | lo        | 0   | -1     | other     |
| 0.0.0.0         | 0       |            |            | 0     | lo        | 0   | -1     | other     |
+-----------------+---------+------------+------------+-------+-----------+-----+--------+-----------+
osquery> 



osquery> select * from processes;
+-------+---------------+-------------------+---------------------------------------------------------------------+-------+-----+------+-------+-------+-------+-------+-------+-------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+------------------+---------------+---------------+---------------+---------------+----------------+---------------+
| pid   | name          | path              | cmdline                                                             | state | cwd | root | uid   | gid   | euid  | egid  | suid  | sgid  | on_disk | wired_size | resident_size | total_size | user_time | system_time | disk_bytes_read | disk_bytes_written | start_time | parent | pgroup | threads | nice | cgroup_namespace | ipc_namespace | mnt_namespace | net_namespace | pid_namespace | user_namespace | uts_namespace |
+-------+---------------+-------------------+---------------------------------------------------------------------+-------+-----+------+-------+-------+-------+-------+-------+-------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+------------------+---------------+---------------+---------------+---------------+----------------+---------------+
| 1     | runOracle.sh  |                   | /bin/bash /opt/oracle/runOracle.sh                                  | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 624000        | 11688000   | 26        | 179         |                 | 0                  | 23181      | 0      | 1      | 1       | 0    |                  |               |               |               |               |                |               |
| 2491  | ora_pmon_orcl |                   | ora_pmon_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 17108000      | 2007792000 | 563       | 1683        |                 | 0                  | 24198      | 1      | 2491   | 1       | 0    |                  |               |               |               |               |                |               |
| 2493  | ora_clmn_orcl |                   | ora_clmn_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14272000      | 2007796000 | 229       | 547         |                 | 0                  | 24198      | 1      | 2493   | 1       | 0    |                  |               |               |               |               |                |               |
| 2495  | ora_psp0_orcl |                   | ora_psp0_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14240000      | 2007792000 | 1071      | 5086        |                 | 0                  | 24198      | 1      | 2495   | 1       | 0    |                  |               |               |               |               |                |               |
| 2497  | ora_vktm_orcl |                   | ora_vktm_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 13708000      | 2007796000 | 2514      | 4127        |                 | 0                  | 24199      | 1      | 2497   | 1       | 0    |                  |               |               |               |               |                |               |
| 2501  | ora_gen0_orcl |                   | ora_gen0_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 47668000      | 2009652000 | 1551      | 1791        |                 | 0                  | 24200      | 1      | 2501   | 1       | 0    |                  |               |               |               |               |                |               |
| 2503  | ora_mman_orcl |                   | ora_mman_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 450452000     | 2007792000 | 394       | 519         |                 | 0                  | 24200      | 1      | 2503   | 1       | 0    |                  |               |               |               |               |                |               |
| 2507  | ora_scmn_orcl |                   | ora_gen1_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 31160000      | 2228732000 | 6520      | 5162        |                 | 0                  | 24200      | 1      | 2507   | 3       | 0    |                  |               |               |               |               |                |               |
| 2511  | ora_diag_orcl |                   | ora_diag_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 17800000      | 2007888000 | 997       | 720         |                 | 0                  | 24200      | 1      | 2511   | 1       | 0    |                  |               |               |               |               |                |               |
| 2513  | ora_scmn_orcl |                   | ora_ofsd_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 15924000      | 2228728000 | 304       | 444         |                 | 0                  | 24200      | 1      | 2513   | 3       | 0    |                  |               |               |               |               |                |               |
| 2517  | ora_dbrm_orcl |                   | ora_dbrm_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 152736000     | 2024748000 | 11850     | 11669       |                 | 0                  | 24200      | 1      | 2517   | 1       | 0    |                  |               |               |               |               |                |               |
| 2519  | ora_vkrm_orcl |                   | ora_vkrm_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 17064000      | 2007796000 | 3890      | 3349        |                 | 0                  | 24200      | 1      | 2519   | 1       | 0    |                  |               |               |               |               |                |               |
| 2521  | ora_svcb_orcl |                   | ora_svcb_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 13812000      | 2008304000 | 652       | 1036        |                 | 0                  | 24200      | 1      | 2521   | 1       | 0    |                  |               |               |               |               |                |               |
| 2523  | ora_pman_orcl |                   | ora_pman_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14236000      | 2007796000 | 3417      | 1872        |                 | 0                  | 24200      | 1      | 2523   | 1       | 0    |                  |               |               |               |               |                |               |
| 2525  | ora_dia0_orcl |                   | ora_dia0_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 24396000      | 2010936000 | 22581     | 65          |                 | 0                  | 24200      | 1      | 2525   | 1       | 0    |                  |               |               |               |               |                |               |
| 2527  | ora_dbw0_orcl |                   | ora_dbw0_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 292272000     | 2019436000 | 1481      | 1061        |                 | 0                  | 24200      | 1      | 2527   | 1       | 0    |                  |               |               |               |               |                |               |
| 2529  | ora_lgwr_orcl |                   | ora_lgwr_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 23624000      | 2008316000 | 1322      | 2007        |                 | 0                  | 24200      | 1      | 2529   | 1       | 0    |                  |               |               |               |               |                |               |
| 2531  | ora_ckpt_orcl |                   | ora_ckpt_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 40204000      | 2008316000 | 3984      | 3215        |                 | 0                  | 24200      | 1      | 2531   | 1       | 0    |                  |               |               |               |               |                |               |
| 2533  | ora_lg00_orcl |                   | ora_lg00_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 21800000      | 2007800000 | 361       | 799         |                 | 0                  | 24200      | 1      | 2533   | 1       | 0    |                  |               |               |               |               |                |               |
| 2535  | ora_smon_orcl |                   | ora_smon_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 57756000      | 2010724000 | 701       | 71          |                 | 0                  | 24200      | 1      | 2535   | 1       | 0    |                  |               |               |               |               |                |               |
| 2537  | ora_lg01_orcl |                   | ora_lg01_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 18636000      | 2007800000 | 159       | 296         |                 | 0                  | 24201      | 1      | 2537   | 1       | 0    |                  |               |               |               |               |                |               |
| 2539  | ora_smco_orcl |                   | ora_smco_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 15388000      | 2007800000 | 1157      | 1071        |                 | 0                  | 24201      | 1      | 2539   | 1       | 0    |                  |               |               |               |               |                |               |
| 2541  | ora_reco_orcl |                   | ora_reco_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 35844000      | 2009624000 | 242       | 114         |                 | 0                  | 24201      | 1      | 2541   | 1       | 0    |                  |               |               |               |               |                |               |
| 25441 | ora_w002_orcl |                   | ora_w002_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 56816000      | 2010364000 | 21        | 12          |                 | 0                  | 197432     | 1      | 25441  | 1       | 0    |                  |               |               |               |               |                |               |
| 2545  | ora_lreg_orcl |                   | ora_lreg_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 23716000      | 2013516000 | 897       | 487         |                 | 0                  | 24201      | 1      | 2545   | 1       | 0    |                  |               |               |               |               |                |               |
| 2549  | ora_pxmn_orcl |                   | ora_pxmn_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14572000      | 2007792000 | 249       | 457         |                 | 0                  | 24201      | 1      | 2549   | 1       | 0    |                  |               |               |               |               |                |               |
| 2553  | ora_mmon_orcl |                   | ora_mmon_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 183800000     | 2032004000 | 54770     | 5823        |                 | 0                  | 24201      | 1      | 2553   | 1       | 0    |                  |               |               |               |               |                |               |
| 2555  | ora_mmnl_orcl |                   | ora_mmnl_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 33552000      | 2008604000 | 6256      | 854         |                 | 0                  | 24201      | 1      | 2555   | 1       | 0    |                  |               |               |               |               |                |               |
| 2557  | ora_d000_orcl |                   | ora_d000_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 12636000      | 2010596000 | 216       | 207         |                 | 0                  | 24201      | 1      | 2557   | 1       | 0    |                  |               |               |               |               |                |               |
| 2559  | ora_s000_orcl |                   | ora_s000_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 12468000      | 2009892000 | 178       | 186         |                 | 0                  | 24201      | 1      | 2559   | 1       | 0    |                  |               |               |               |               |                |               |
| 2561  | ora_tmon_orcl |                   | ora_tmon_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14528000      | 2007796000 | 127       | 314         |                 | 0                  | 24201      | 1      | 2561   | 1       | 0    |                  |               |               |               |               |                |               |
| 2571  | ora_tt00_orcl |                   | ora_tt00_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 22740000      | 2030972000 | 66        | 377         |                 | 0                  | 24206      | 1      | 2571   | 1       | 0    |                  |               |               |               |               |                |               |
| 2573  | ora_tt01_orcl |                   | ora_tt01_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 13748000      | 2007792000 | 131       | 204         |                 | 0                  | 24206      | 1      | 2573   | 1       | 0    |                  |               |               |               |               |                |               |
| 2575  | ora_tt02_orcl |                   | ora_tt02_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 14064000      | 2007792000 | 628       | 561         |                 | 0                  | 24206      | 1      | 2575   | 1       | 0    |                  |               |               |               |               |                |               |
| 2577  | ora_aqpc_orcl |                   | ora_aqpc_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 24408000      | 2009620000 | 147       | 247         |                 | 0                  | 24208      | 1      | 2577   | 1       | 0    |                  |               |               |               |               |                |               |
| 2581  | ora_p000_orcl |                   | ora_p000_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 320548000     | 2017456000 | 13959     | 1685        |                 | 0                  | 24210      | 1      | 2581   | 1       | 0    |                  |               |               |               |               |                |               |
| 2583  | ora_p001_orcl |                   | ora_p001_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 480856000     | 2017460000 | 13912     | 1773        |                 | 0                  | 24210      | 1      | 2583   | 1       | 0    |                  |               |               |               |               |                |               |
| 2585  | ora_p002_orcl |                   | ora_p002_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 236996000     | 2013472000 | 11400     | 2277        |                 | 0                  | 24210      | 1      | 2585   | 1       | 0    |                  |               |               |               |               |                |               |
| 2587  | ora_p003_orcl |                   | ora_p003_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 241076000     | 2012904000 | 10077     | 1944        |                 | 0                  | 24210      | 1      | 2587   | 1       | 0    |                  |               |               |               |               |                |               |
| 2589  | ora_p004_orcl |                   | ora_p004_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 87560000      | 2010716000 | 1681      | 363         |                 | 0                  | 24210      | 1      | 2589   | 1       | 0    |                  |               |               |               |               |                |               |
| 2591  | ora_p005_orcl |                   | ora_p005_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 109820000     | 2012892000 | 1721      | 357         |                 | 0                  | 24210      | 1      | 2591   | 1       | 0    |                  |               |               |               |               |                |               |
| 2593  | ora_p006_orcl |                   | ora_p006_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 96940000      | 2010680000 | 1791      | 302         |                 | 0                  | 24210      | 1      | 2593   | 1       | 0    |                  |               |               |               |               |                |               |
| 2595  | ora_p007_orcl |                   | ora_p007_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 98428000      | 2010680000 | 1802      | 266         |                 | 0                  | 24210      | 1      | 2595   | 1       | 0    |                  |               |               |               |               |                |               |
| 26    | tnslsnr       |                   | /opt/oracle/product/12.2.0.1/dbhome_1/bin/tnslsnr LISTENER -inherit | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 5120000       | 215568000  | 169       | 817         |                 | 0                  | 23182      | 1      | 26     | 2       | 0    |                  |               |               |               |               |                |               |
| 2648  | ora_cjq0_orcl |                   | ora_cjq0_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 197876000     | 2019032000 | 38740     | 20810       |                 | 0                  | 24212      | 1      | 2648   | 1       | 0    |                  |               |               |               |               |                |               |
| 2753  | ora_qm02_orcl |                   | ora_qm02_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 18016000      | 2007792000 | 165       | 312         |                 | 0                  | 24219      | 1      | 2753   | 1       | 0    |                  |               |               |               |               |                |               |
| 2770  | ora_q003_orcl |                   | ora_q003_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 19396000      | 2008308000 | 169       | 220         |                 | 0                  | 24221      | 1      | 2770   | 1       | 0    |                  |               |               |               |               |                |               |
| 28502 | ora_q005_orcl |                   | ora_q005_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 22464000      | 2007792000 | 2         | 4           |                 | 0                  | 276912     | 1      | 28502  | 1       | 0    |                  |               |               |               |               |                |               |
| 28661 | bash          |                   | bash                                                                | S     |     |      | 0     | 0     | 0     | 0     | 0     | 0     | -1      | 0          | 1748000       | 11820000   | 6         | 1           |                 | 0                  | 277073     | 0      | 28661  | 1       | 0    |                  |               |               |               |               |                |               |
| 28802 | ora_w007_orcl |                   | ora_w007_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 24632000      | 2007804000 | 1         | 2           |                 | 0                  | 277196     | 1      | 28802  | 1       | 0    |                  |               |               |               |               |                |               |
| 28804 | ora_w001_orcl |                   | ora_w001_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 27044000      | 2008308000 | 2         | 3           |                 | 0                  | 277199     | 1      | 28804  | 1       | 0    |                  |               |               |               |               |                |               |
| 28814 | ora_w005_orcl |                   | ora_w005_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 27636000      | 2009332000 | 2         | 2           |                 | 0                  | 277223     | 1      | 28814  | 1       | 0    |                  |               |               |               |               |                |               |
| 28816 | ora_w000_orcl |                   | ora_w000_ORCL                                                       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 27764000      | 2009328000 | 2         | 2           |                 | 0                  | 277226     | 1      | 28816  | 1       | 0    |                  |               |               |               |               |                |               |
| 28937 | osqueryi      | /usr/bin/osqueryd | osqueryi                                                            | R     | /   | /    | 0     | 0     | 0     | 0     | 0     | 0     | 1       | 0          | 10880000      | 200624000  | 10        | 7           | 2433024         | 24576              | 277409     | 28661  | 28937  | 4       | 0    |                  | 4026532482    | 4026532480    | 4026532485    | 4026532483    | 4026531837     | 4026532481    |
| 2913  | tail          |                   | tail -f /opt/oracle/diag/rdbms/orcl/ORCL/trace/alert_ORCL.log       | S     |     |      | 54321 | 54321 | 54321 | 54321 | 54321 | 54321 | -1      | 0          | 116000        | 4400000    | 223       | 683         |                 | 0                  | 24252      | 1      | 1      | 1       | 0    |                  |               |               |               |               |                |               |
+-------+---------------+-------------------+---------------------------------------------------------------------+-------+-----+------+-------+-------+-------+-------+-------+-------+---------+------------+---------------+------------+-----------+-------------+-----------------+--------------------+------------+--------+--------+---------+------+------------------+---------------+---------------+---------------+---------------+----------------+---------------+
osquery>

osquery> select * from listening_ports;
+-------+-------+----------+--------+-----------+----+----------+----------------------------+---------------+
| pid   | port  | protocol | family | address   | fd | socket   | path                       | net_namespace |
+-------+-------+----------+--------+-----------+----+----------+----------------------------+---------------+
| -1    | 1521  | 6        | 2      | 0.0.0.0   | -1 | 352599   |                            | 0             |
| -1    | 33371 | 6        | 2      | 0.0.0.0   | -1 | 383090   |                            | 0             |
| -1    | 5500  | 6        | 2      | 0.0.0.0   | -1 | 384079   |                            | 0             |
| -1    | 38365 | 17       | 2      | 0.0.0.0   | -1 | 384521   |                            | 0             |
| -1    | 46666 | 17       | 2      | 127.0.0.1 | -1 | 383085   |                            | 0             |
| -1    | 42601 | 17       | 2      | 0.0.0.0   | -1 | 25442397 |                            | 0             |
| -1    | 34923 | 17       | 2      | 127.0.0.1 | -1 | 383100   |                            | 0             |
| -1    | 55504 | 17       | 2      | 127.0.0.1 | -1 | 382554   |                            | 0             |
| -1    | 37303 | 17       | 2      | 0.0.0.0   | -1 | 25443523 |                            | 0             |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/sEXTPROC1 | 0             |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/s#26.1    | 0             |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/s#26.2    | 0             |
| 28937 | 0     | 0        | 1      |           | 7  | 0        | /root/.osquery/shell.em    | 0             |
| -1    | 1521  | 6        | 2      | 0.0.0.0   | -1 | 352599   |                            | 4026532485    |
| -1    | 33371 | 6        | 2      | 0.0.0.0   | -1 | 383090   |                            | 4026532485    |
| -1    | 5500  | 6        | 2      | 0.0.0.0   | -1 | 384079   |                            | 4026532485    |
| -1    | 38365 | 17       | 2      | 0.0.0.0   | -1 | 384521   |                            | 4026532485    |
| -1    | 46666 | 17       | 2      | 127.0.0.1 | -1 | 383085   |                            | 4026532485    |
| -1    | 42601 | 17       | 2      | 0.0.0.0   | -1 | 25442397 |                            | 4026532485    |
| -1    | 34923 | 17       | 2      | 127.0.0.1 | -1 | 383100   |                            | 4026532485    |
| -1    | 55504 | 17       | 2      | 127.0.0.1 | -1 | 382554   |                            | 4026532485    |
| -1    | 37303 | 17       | 2      | 0.0.0.0   | -1 | 25443523 |                            | 4026532485    |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/sEXTPROC1 | 4026532485    |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/s#26.1    | 4026532485    |
| -1    | 0     | 0        | 1      |           | -1 | 0        | /var/tmp/.oracle/s#26.2    | 4026532485    |
| 28937 | 0     | 0        | 1      |           | 7  | 0        | /root/.osquery/shell.em    | 4026532485    |
+-------+-------+----------+--------+-----------+----+----------+----------------------------+---------------+
osquery> 








Leave a Reply

Your email address will not be published. Required fields are marked *