-
Notifications
You must be signed in to change notification settings - Fork 0
internal deployment guide
Deploying osquery should be straightforward, the documentation should contain all of the information you need. If you have any problems along the way, please create a GitHub issue.
osquery was built with production infrastructure in mind. Code is rigorously benchmarked and tested for memory leaks. Expect a small footprint.
osquery use underlying systems APIs for systems operations. For example, the kextstat table in OS X uses the same underlying core APIs as the kextstat command. During the lifecycle of a long-running monitoring daemon, the benefits of this compound over time.
Whenever possible, osquery uses operating system streams to reactively perform actions. For example, if you wanted to know when a particular file changed, you could periodically poll for it's contents, or you could use inotify to tell you when the file changed. osquery includes a complete, operating system publish-subscribe event framework that the core product uses extensively to provide an elegant, high-performant solution.
Being an open source product, osquery is completely customizable. With that being said, there are several plugin interfaces and options that you can choose from when deploying osquery. osquery can be deployed in both OS X corporate environments and Linux production environments, so all of the environment specific components of the product are completely swappable at runtime.
Deploying osquery in your environment is easy. The osquery codebase comes with tools, utilities and test infrastructure that you can use to easily build and create custom osquery packages. For more information on the options that are available to you, read the distribution guide.