osquery-1/README.md

osquery
=======
Platform | Build status
---------|-------------
OS X 10.10      | [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildOSX/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildOSX/)
CentOS 6.6   | [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildCentOS/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildCentOS/)
Ubuntu 12.04 LTS | [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu12/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu12/)
Ubuntu 14.04 LTS | [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu14/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu14/)


osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as

- running processes
- loaded kernel modules
- open network connections

SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.

To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

```sql
--------------------------------------------------------
-- get the name, pid and attached port of all processes
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT
  process.name,
  listening.port,
  process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';
```

```sql
--------------------------------------------------------
-- find every launchdaemon on an OS X host which
--   * launches an executable when the operating
--     system starts
--   * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT
  name,
  program || program_arguments AS executable
FROM launchd
WHERE
  (run_at_load = 'true' AND keep_alive = 'true')
AND
  (program != '' OR program_arguments != '');
```

These queries can be:
- performed on an ad-hoc basis to explore operating system state
- executed via a scheduler to monitor operating system state across a distributed set of hosts over time
- launched from custom applications using osquery APIs

## Install

### OS X

The easiest way to install osquery on OS X is via Homebrew. Check the [Homebrew](http://brew.sh/) homepage for installation instructions.

Run the following:

```
brew update
brew install osquery
```

To update osquery:

```
brew update
brew upgrade osquery
```

### Linux

We don't currently supply pre-built osquery packages for Linux. We do, however, provide Vagrant VMs which allow you to easily create packages for Ubuntu 12.04+ and CentOS 6.5. Check out the wiki's [installation guide](https://github.com/facebook/osquery/wiki/install-linux) for more information.

If you're trying to build osquery on a different, currently unsupported operating system, please refer to the [building the code guide](https://github.com/facebook/osquery/wiki/building-the-code) for help.

## Vulnerabilities

Facebook has a [bug bounty](https://www.facebook.com/whitehat/) program which osquery participates in. If you find a vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue.

For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery: https://www.facebook.com/notes/facebook-bug-bounty/bug-hunting-osquery/954850014529225

## Learn more

Read the [launch blog post](https://code.facebook.com/posts/844436395567983/introducing-osquery/) for background on the project.

If you're interested in learning more about osquery, visit the [wiki](https://github.com/facebook/osquery/wiki).
Initial commit 2014-07-31 00:35:19 +00:00			`osquery`
			`=======`
Add build matrix 2014-11-21 01:26:11 +00:00			`Platform \| Build status`
			`---------\|-------------`
update build matrix text 2014-11-24 16:56:28 +00:00			`OS X 10.10 \| [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildOSX/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildOSX/)`
Update README.md 2014-11-24 16:56:56 +00:00			`CentOS 6.6 \| [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildCentOS/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildCentOS/)`
update build matrix text 2014-11-24 16:56:28 +00:00			`Ubuntu 12.04 LTS \| [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu12/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu12/)`
			`Ubuntu 14.04 LTS \| [![Build Status](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu14/badge/icon)](http://jenkins.osquery.io/job/osqueryMasterBuildUbuntu14/)`
Adding one build badge per supported system 2014-11-20 23:02:27 +00:00
instructions 2014-08-12 00:51:30 +00:00
Update README.md 2014-10-29 00:35:57 +00:00			`osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.`
Update README.md 2014-09-03 08:42:15 +00:00
			`osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as`

			`- running processes`
			`- loaded kernel modules`
			`- open network connections`

Update README.md 2014-10-29 00:36:22 +00:00			`SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.`

			`To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:`
Update README.md 2014-09-03 08:42:15 +00:00
			```sql
			`--------------------------------------------------------`
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`-- get the name, pid and attached port of all processes`
Update README.md 2014-09-03 08:42:15 +00:00			`-- which are listening on all interfaces`
			`--------------------------------------------------------`
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`SELECT DISTINCT`
			`process.name,`
			`listening.port,`
Update README.md 2014-09-03 08:42:15 +00:00			`process.pid`
			`FROM processes AS process`
			`JOIN listening_ports AS listening`
			`ON process.pid = listening.pid`
			`WHERE listening.address = '0.0.0.0';`
			```
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00
Update README.md 2014-09-03 08:42:15 +00:00			```sql
			`--------------------------------------------------------`
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`-- find every launchdaemon on an OS X host which`
			`-- * launches an executable when the operating`
Update README.md 2014-09-03 08:42:15 +00:00			`-- system starts`
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`-- * keeps the executable running`
			`-- return the name of the launchdaemon and the full`
Update README.md 2014-09-03 08:42:15 +00:00			`-- path (with arguments) of the executable to be ran.`
			`--------------------------------------------------------`
whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`SELECT`
			`name,`
			`program \|\| program_arguments AS executable`
			`FROM launchd`
			`WHERE`
			`(run_at_load = 'true' AND keep_alive = 'true')`
			`AND`
Update README.md 2014-09-03 08:42:15 +00:00			`(program != '' OR program_arguments != '');`
			```

			`These queries can be:`
			`- performed on an ad-hoc basis to explore operating system state`
			`- executed via a scheduler to monitor operating system state across a distributed set of hosts over time`
			`- launched from custom applications using osquery APIs`

Reference wiki install instructions in the README. Could add `brew` and `apt-get` instructions once those are available. 2014-10-30 02:24:20 +00:00			`## Install`

Update README.md 2014-11-03 09:41:30 +00:00			`### OS X`

whitespace to kick off travis build 2014-11-04 16:59:46 +00:00			`The easiest way to install osquery on OS X is via Homebrew. Check the [Homebrew](http://brew.sh/) homepage for installation instructions.`
Update README.md 2014-11-03 09:41:30 +00:00
			`Run the following:`

			```
			`brew update`
			`brew install osquery`
			```

			`To update osquery:`

			```
			`brew update`
			`brew upgrade osquery`
			```

			`### Linux`

Update README.md 2014-11-03 09:50:31 +00:00			`We don't currently supply pre-built osquery packages for Linux. We do, however, provide Vagrant VMs which allow you to easily create packages for Ubuntu 12.04+ and CentOS 6.5. Check out the wiki's [installation guide](https://github.com/facebook/osquery/wiki/install-linux) for more information.`

Update README.md 2014-11-03 09:50:54 +00:00			`If you're trying to build osquery on a different, currently unsupported operating system, please refer to the [building the code guide](https://github.com/facebook/osquery/wiki/building-the-code) for help.`
Reference wiki install instructions in the README. Could add `brew` and `apt-get` instructions once those are available. 2014-10-30 02:24:20 +00:00
Adding whitehat information to README close #627 2015-01-15 21:59:46 +00:00			`## Vulnerabilities`

			`Facebook has a [bug bounty](https://www.facebook.com/whitehat/) program which osquery participates in. If you find a vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue.`

			`For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery: https://www.facebook.com/notes/facebook-bug-bounty/bug-hunting-osquery/954850014529225`

Update README.md 2014-09-05 06:29:26 +00:00			`## Learn more`
instructions 2014-08-12 00:51:30 +00:00
Update README.md 2014-10-29 18:18:35 +00:00			`Read the [launch blog post](https://code.facebook.com/posts/844436395567983/introducing-osquery/) for background on the project.`

Update README.md 2014-09-05 07:44:50 +00:00			`If you're interested in learning more about osquery, visit the [wiki](https://github.com/facebook/osquery/wiki).`
arbitrary whitespace 2014-11-19 02:23:46 +00:00