-
Notifications
You must be signed in to change notification settings - Fork 0
Home
osquery is an operating system instrumentation toolchain for *nix based hosts. osquery makes low-level operating system analytics and monitoring both performant and intuitive.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as
- running processes
- loaded kernel modules
- open network connections
SQL tables are implemented via an easily extendable API. A bunch of tables already exist and more are constantly being written. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
--------------------------------------------------------
-- get the name, pid and attached port of all processes
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT
process.name,
listening.port,
process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';--------------------------------------------------------
-- find every launchdaemon on an OS X host which
-- * launches an executable when the operating
-- system starts
-- * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT
name,
program || program_arguments AS executable
FROM launchd
WHERE
(run_at_load = 'true' AND keep_alive = 'true')
AND
(program != '' OR program_arguments != '');These queries can be:
- performed on an ad-hoc basis to explore operating system state
- executed via a scheduler to monitor operating system state across a distributed set of hosts over time
- launched from custom applications using osquery APIs
The high-performance, low-footprint distributed host monitoring daemon, osqueryd, allows you to schedule queries to be executed across your infrastructure. The daemon takes care of aggregating the query results over time and generates logs which indicate state changes in your infrastructure. You can use this to maintain insight into the security, performance, configuration and state of your entire infrastructure. osqueryd's logging can integrate right into your internal log aggregation pipeline, regardless of your technology stack, via a robust plugin architecture.
The interactive query console, osqueryi, gives you a SQL interface to try out new queries and explore your operating system. With the power of a complete SQL language and dozens of useful tables built-in, osqueryi is an invaluable tool when performing incident response, diagnosing an systems operations problem, troubleshooting a performance issue, etc.
osquery is cross platform. Even though osquery takes advantage of very low-level operating system APIs, you can build and use osquery on Ubuntu, Cent OS and Mac OS X. This has the distinct advantage of allowing you to be able to use one platform for monitoring complex operating system state across you're entire infrastructure. Monitor your corporate Mac OS X clients the same way you monitor your production Linux servers.
To make deploying osquery in your infrastructure as easy as possible, osquery comes with native packages for all supported operating systems. There's great tooling and documentation around creating packages, so packaging and deploying your custom osquery tools can be just as easy too.
To assist with the rollout process, the osquery wiki has detailed documentation on internal deployment. osquery was built so that every environment specific aspect of the toolchain can be hot-swapped at run-time with custom plugins. Use these interfaces to deeply integrate osquery into your infrastructure if one of the several existing plugins don't suit your needs.
Additionally, osquery's codebase is made up of high-performance, modular components with clearly documented public APIs. These components can be easily strung together to create new, interesting applications and tools. Language bindings exist for many languages, so you can continue to use the technologies that you're comfortable with.
Getting started with osquery is easy, regardless of if you'd like to extend osquery or use the pre-built, open source tools.
If you're interested in installing and using osquery right now, check out the install guide for OS X and Linux.
If you're interested in deploying osquery to provide your organization with deeper insight into your Linux and OS X hosts, check out the deployment guide.
If you're interested in performing ad-hoc operating system analytics, DFIR, etc. then check out the analytics guide.
If you're interested in extending one of the existing osquery products or improving core libraries, read the developer's guide.
If you're interest in using osquery's functionality in your own tool, check out the public API documentation.