-
Notifications
You must be signed in to change notification settings - Fork 0
internal deployment guide
Deploying osquery should be straightforward and the documentation should contain all of the information you need. If you have any problems along the way, please create a GitHub issue.
A top-level goal of osquery is for it to be performant enough to run on production infrastructure with the smallest possible footprint. The core osquery team at Facebook puts a lot of effort into ensuring that all code is rigorously benchmarked and tested for memory leaks.
All systems operations in osquery use underlying systems APIs exclusively. For example, the kextstat table in OS X uses the same underlying core APIs as the kextstat command. During the lifecycle of a long-running monitoring daemon, using system APIs instead of exec'ing to a system command has incredibly positive performance and reliability implications.
Whenever possible, osquery uses operating system streams to reactively perform actions. For example, if you wanted to know whenever a file changed, you could periodically poll for it's contents, or you could use inotify to tell you when the file changed. osquery includes a complete operating system publish-subscribe event framework which the core product uses extensively to provide more elegant, high-performance solutions to problems.
Being an open source product, osquery is completely customizable in whatever way you could imagine. With that being said, there are several plugin interfaces and options that you can choose from when deploying osquery. osquery can be deployed in both OS X corporate environments and Linux production environments, so all of the environment specific components of the product are completely swappable at runtime.
Deploying osquery in your environment is easy. The osquery codebase comes with several tools, utilities and test infrastructure that you can use to easily build and create custom osquery packages. For more information on the options that are available to you, read the distribution guide.