-
Notifications
You must be signed in to change notification settings - Fork 0
Home
osquery is an operating system instrumentation toolchain for *nix based hosts. osquery makes low-level operating system analytics and monitoring both performant and intuitive.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as
- running processes
- loaded kernel modules
- open network connections
SQL tables are implemented via an easily extendable API. A bunch of tables already exist and more are constantly being written. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
------------------------------------------------------
-- get the name and the pid of all processes which are
-- listening on all interfaces
--
-- using a join:
SELECT DISTINCT name, pid
FROM processes as processes
JOIN listening_ports AS ports
ON processes.pid = ports.pid
AND ports.address = '0.0.0.0';
-- using a sub-select:
SELECT name, pid
FROM processes
WHERE pid
IN (
SELECT DISTINCT pid
FROM listening_ports
WHERE address = '0.0.0.0'
);
------------------------------------------------------
------------------------------------------------------
-- find every launchdaemon on an OS X host which
-- * launches an executable when the operating
-- system starts
-- * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
------------------------------------------------------
SELECT name, program || program_arguments AS executable
FROM launchd
WHERE
(run_at_load = 'true' AND keep_alive = 'true')
AND
(program != '' OR program_arguments != '');These queries can be:
- performed on an ad-hoc basis to explore operating system state
- executed via a scheduler to monitor operating system state across a distributed set of hosts over time
- launched from custom applications using osquery APIs
Lorem ipsum dolor sit amet, labores expetendis delicatissimi ex has, epicuri sapientem no cum, ludus laboramus at mea. Civibus suscipiantur eam ne.
Lorem ipsum dolor sit amet, labores expetendis delicatissimi ex has, epicuri sapientem no cum, ludus laboramus at mea. Civibus suscipiantur eam ne. Pro ad putant eripuit interesset, eos agam utamur facilisis id. Populo omnium his id, eripuit persecuti vix te.
Eu timeam accusam eos. Et usu vidit fabellas. In graeco scribentur sit. Ad eos mundi omittam voluptatibus, an decore feugait eos, possit facilis vel ad. No congue homero ridens vel, consul vulputate cum no.
Ea adipisci sapientem eum. Pri ei brute possim consectetuer, vel ne vivendum similique. Case homero persius sit cu, vim eu simul eruditi denique. Vix ei doming omittam.
Lorem ipsum dolor sit amet, labores expetendis delicatissimi ex has, epicuri sapientem no cum, ludus laboramus at mea. Civibus suscipiantur eam ne. Pro ad putant eripuit interesset, eos agam utamur facilisis id. Populo omnium his id, eripuit persecuti vix te.
Eu timeam accusam eos. Et usu vidit fabellas. In graeco scribentur sit. Ad eos mundi omittam voluptatibus, an decore feugait eos, possit facilis vel ad. No congue homero ridens vel, consul vulputate cum no.
Ea adipisci sapientem eum. Pri ei brute possim consectetuer, vel ne vivendum similique. Case homero persius sit cu, vim eu simul eruditi denique. Vix ei doming omittam.
Lorem ipsum dolor sit amet, labores expetendis delicatissimi ex has, epicuri sapientem no cum, ludus laboramus at mea. Civibus suscipiantur eam ne. Pro ad putant eripuit interesset, eos agam utamur facilisis id. Populo omnium his id, eripuit persecuti vix te.
Eu timeam accusam eos. Et usu vidit fabellas. In graeco scribentur sit. Ad eos mundi omittam voluptatibus, an decore feugait eos, possit facilis vel ad. No congue homero ridens vel, consul vulputate cum no.
Ea adipisci sapientem eum. Pri ei brute possim consectetuer, vel ne vivendum similique. Case homero persius sit cu, vim eu simul eruditi denique. Vix ei doming omittam.
Getting started with osquery is easy, regardless of if you'd like to extend osquery or use the pre-built, open source tools.
If you're interested in installing and using osquery right now, check out the install guide for OS X and Linux.
If you're interested in deploying osquery to provide your organization with deeper insight into your Linux and OS X hosts, check out the deployment guide.
If you're interested in performing ad-hoc operating system analytics, DFIR, etc. then check out the analytics guide.
If you're interested in extending one of the existing osquery products or improving core libraries, read the developer's guide.
If you're interest in using osquery's functionality in your own tool, check out the public API documentation.