How to Monitor /etc/hosts With Osquery
One of the most powerful features of osquery is tracking how host state changes
over time. Let’s use the differential queries feature of osquery to keep tabs
on the /etc/hosts
file, which can be maliciously modified by malware
(such as OSX/Dok).
Note the etc_hosts
table we query is available on macOS, Windows and Linux,
so this is a cross-platform technique.
As we work through this example, notice the pattern that can be applied to many concepts we are interested in monitoring: establish a baseline and track differential changes as modifications occur.
It helps to start exploring with osqueryi
:
$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * from etc_hosts;
+-----------------+----------------+
| address | hostnames |
+-----------------+----------------+
| 127.0.0.1 | localhost |
| 255.255.255.255 | broadcasthost |
| ::1 | localhost |
| 127.0.0.1 | dockerhost |
| 127.0.0.1 | mysql |
+-----------------+----------------+
My computer has a few entries, but nothing concerning. Now that we have an understanding of the data provided by osquery, let’s schedule a query to monitor updates to the file.
For the purposes of this example, I’ll create a minimal configuration file. The query could be added to any osquery config file, or a separate query pack.
/* Sample osquery configuration */
{
"schedule": {
"etc_hosts_entries": {
"query": "SELECT * FROM etc_hosts",
"interval": 10,
"removed": false
}
}
}
Here are the results published immediately when I run osqueryd
with that
configuration:
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"127.0.0.1","hostnames":"localhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"255.255.255.255","hostnames":"broadcasthost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"::1","hostnames":"localhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"127.0.0.1","hostnames":"dockerhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"127.0.0.1","hostnames":"mysql"},"action":"added"}
Note these correspond to the results we already saw with osqueryi
.
That is because the first time the query executes, all of the results are
“new”. On further runs of the query, only the newly added
results will be logged.
Imagine some malware decided to block access to VirusTotal. Osquery would log a line like this:
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:01:51 2017 UTC","unixTime":"1513105311","epoch":"0","counter":"9","columns":{"address":"127.0.0.1","hostnames":"virustotal.com"},"action":"added"}
Or if the hosts entry for Google was updated to a malicious IP:
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:02:41 2017 UTC","unixTime":"1513105361","epoch":"0","counter":"14","columns":{"address":"184.43.27.56","hostnames":"google.com"},"action":"added"}
To enable monitoring across a fleet of hosts, results can aggregated through your preferred log aggregation pipeline (ELK stack and Splunk are popular among osquery users).
It should also be noted that osquery includes a robust File Integrity Monitoring (FIM) system that is useful for detecting modifications to important files. The FIM is a more advanced capability that can be used to perform analytics similar to those discussed here.
If you’d like to read more osquery content like this, sign up for our biweekly newsletter.