For security analysts working on Linux, the lack of flexible, transparent and comprehensive tools is an ongoing problem. As is often the case, security professionals are turning to open-source solutions that can be more easily customized to solve specific problems.
OSSEC has been the go-to choice to shore up Linux defenses for many years, but some would argue it’s now overshadowed by osquery. As companies are now using more modern infrastructure, it begs the question of whether OSSEC is still the best choice.
Below we compare osquery vs. OSSEC, starting by defining the differences between the two and then offering some guidance on how to determine which tool is the best option for you.
What is OSSEC?
OSSEC is an open-source, host-based intrusion detection system that works on both Linux and Windows operating systems. It performs log analysis, integrity checking, registry monitoring, rootkit detection, time-based alerting, and active response.
Typically, your security teams will deploy OSSEC whenever they need something running on the server to alert them about potential intrusions. You can use it to monitor log files and send automated alerts if it detects a rootkit or a suspicious file change.
The OSSEC configuration uses a client-server architecture, so OSSEC can be run with or without an agent. On the latter, the server will connect with each machine, analyze its status, and report the findings.
Since its inception in 2008, OSSEC has established itself as a reliable tool among security professionals. Today, OSSEC is still in use in many big industries, including finance, banking, and also tech companies. In all cases, these are companies with a meaningful Linux footprint; you would very rarely see an all-Microsoft shop using OSSEC.
What Is Osquery?
Osquery is a tool that allows security analysts to explore host-level operating system data -- the endpoints being workstations, servers, or cloud workloads inclusive of virtual machines and containers). Osquery normalizes operating system data across operating systems, making it queryable using SQL. So, instead of writing parsers for log files, you use scheduled or real-time SQL queries to collect and explore data.
Exposing an operating system as a high-performance relational database allows you to write SQL- based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
When Facebook initially developed osquery in 2014, it covered Mac and Linux. Over the years, its fan base of developers expanded it to include Docker containers, Windows, FreeBSD and a variety of Linux distributions. They’ve added tables and extensions making it easier for users to access more data and perform more security-related functions.
While osquery is a very customizable, flexible toosignl, one challenge of deploying osquery at scale is that you still require a central configuration and logging environment. Once you’re collecting and logging data, you’ll also need to put in some elbow grease to make it actionable.
Osquery vs. OSSEC: Which One Do You Need?
In the Linux world, there aren't a lot of open source tools for intrusion detection or file integrity monitoring. OSSEC does these things well and has a lot of features, making it an excellent choice for critical tasks such as Identifying data patterns in log files and parsing logs and triggering alerts.
OSSEC is very flexible, however, it is not easy to reconfigure. In truth, OSSEC was designed for a time before cloud computing. (Tweet this!)
Therefore, if you have a lot of virtual machines with different requirements, OSSEC is not the best solution. As technology progresses, more people will look for a replacement tool—something that’s easier to use than OSSEC.
By comparison, osquery was not designed to parse log files, and, on its own, it won’t do any alerting. That being said, osquery is a more flexible tool that makes it easy to pull in the data you need, when you need it.
For example, if you have osquery with a central management server and you want to quickly get a holistic view of every endpoint connection across your entire environment, you can query all the machines in real-time.
With OSSEC, you’ll first need to determine if you configured the system to read specific data. It will alert you to an issue when it happens, but you can’t ask more questions than what you had already set up during the initial configuration.
Say a virus was spreading through USB storage. Using osquery, you can write a simple query to get a status update from every machine and roll it out to all your endpoints, so you can identify which machines have been compromised. However, with OSSEC, you would need to have already deployed a configuration to automate alerts if any USB storage updates or intrusions were detected ahead of time. As such, osquery is a more interactive tool—and a much better fit if you are actively doing threat-hunting or advanced security work.
Get Better Acquainted With Osquery
With its burgeoning support system, osquery has a bright future among security teams—especially those looking to secure meaningful Linux environments.
Uptycs provides a complete turnkey solution built around the osquery agent, so you can easily collect, aggregate and analyze all the telemetry provided even across thousands (or hundreds of thousands) of endpoints. Uptycs is able to offer agile improvements to the osquery agent, quickly adding new features—like file integrity monitoring for Windows—to the Uptycs distribution of osquery.
With Uptycs, your security team can streamline osquery configuration and optimize data storage and usefulness across your infrastructure, ultimately helping your organization develop a stronger security posture around intrusion detection, compliance, and threat-hunting.
If you'd like to learn more about how Uptycs can help solve your pressing Linux security challenges, watch this 15-minute demo video!
Related osquery resources: