How to Monitor /etc/hosts With Osquery

One of the most powerful features of osquery is tracking how host state changes over time. Let’s use the differential queries feature of osquery to keep tabs on the /etc/hosts file, which can be maliciously modified by malware (such as OSX/Dok). Note the etc_hosts table we query is available on macOS, Windows and Linux, so this is a cross-platform technique.

As we work through this example, notice the pattern that can be applied to many concepts we are interested in monitoring: establish a baseline and track differential changes as modifications occur.

It helps to start exploring with osqueryi:

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * from etc_hosts;
| address         | hostnames      |
|       | localhost      |
| | broadcasthost  |
| ::1             | localhost      |
|       | dockerhost     |
|       | mysql          |

My computer has a few entries, but nothing concerning. Now that we have an understanding of the data provided by osquery, let’s schedule a query to monitor updates to the file.

For the purposes of this example, I’ll create a minimal configuration file. The query could be added to any osquery config file, or a separate query pack.

/* Sample osquery configuration */
  "schedule": {
    "etc_hosts_entries": {
      "query": "SELECT * FROM etc_hosts",
      "interval": 10,
      "removed": false

Here are the results published immediately when I run osqueryd with that configuration:

{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"","hostnames":"localhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"","hostnames":"broadcasthost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"::1","hostnames":"localhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"","hostnames":"dockerhost"},"action":"added"}
{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:00:20 2017 UTC","unixTime":"1513105220","epoch":"0","counter":"0","columns":{"address":"","hostnames":"mysql"},"action":"added"}

Note these correspond to the results we already saw with osqueryi. That is because the first time the query executes, all of the results are “new”. On further runs of the query, only the newly added results will be logged.

Imagine some malware decided to block access to VirusTotal. Osquery would log a line like this:

{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:01:51 2017 UTC","unixTime":"1513105311","epoch":"0","counter":"9","columns":{"address":"","hostnames":""},"action":"added"}

Or if the hosts entry for Google was updated to a malicious IP:

{"name":"etc_hosts_entries","hostIdentifier":"zwass.local","calendarTime":"Tue Dec 12 19:02:41 2017 UTC","unixTime":"1513105361","epoch":"0","counter":"14","columns":{"address":"","hostnames":""},"action":"added"}

To enable monitoring across a fleet of hosts, results can aggregated through your preferred log aggregation pipeline (ELK stack and Splunk are popular among osquery users).

It should also be noted that osquery includes a robust File Integrity Monitoring (FIM) system that is useful for detecting modifications to important files. The FIM is a more advanced capability that can be used to perform analytics similar to those discussed here.

If you’d like to read more osquery content like this, sign up for our biweekly newsletter.

Share this story:

More articles you
might enjoy:

Deep Dives
Buying Kolide vs Building Your Own Osquery Solution
Jason Meller
Inside Kolide
How to Run Osqueryi With Kolide Launcher Tables
Fritz Ifert-Miller
Deep Dives
Is Windows Defender Enough to Pass SOC 2?
Jason Meller
Watch a Demo
Watch a Demo