osquery-1/README.md

osquery
=======

osquery is an operating system instrumentation toolchain for *nix based hosts. osquery makes low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as

- running processes
- loaded kernel modules
- open network connections

SQL tables are implemented via an easily extendable API. A bunch of tables already exist and more are constantly being written. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

```sql
--------------------------------------------------------
-- get the name, pid and attached port of all processes 
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT 
  process.name, 
  listening.port, 
  process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';
```
```sql
--------------------------------------------------------
-- find every launchdaemon on an OS X host which 
--   * launches an executable when the operating 
--     system starts
--   * keeps the executable running 
-- return the name of the launchdaemon and the full 
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT 
  name, 
  program || program_arguments AS executable 
FROM launchd 
WHERE 
  (run_at_load = 'true' AND keep_alive = 'true') 
AND 
  (program != '' OR program_arguments != '');
```

These queries can be:
- performed on an ad-hoc basis to explore operating system state
- executed via a scheduler to monitor operating system state across a distributed set of hosts over time
- launched from custom applications using osquery APIs

## Learn more

If you're interested in learning more about osquery, visit the [wiki](https://github.com/facebook/osquery/wiki).
Initial commit 2014-07-31 00:35:19 +00:00			`osquery`
			`=======`
instructions 2014-08-12 00:51:30 +00:00
Update README.md 2014-09-03 08:42:15 +00:00			`osquery is an operating system instrumentation toolchain for *nix based hosts. osquery makes low-level operating system analytics and monitoring both performant and intuitive.`

			`osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as`

			`- running processes`
			`- loaded kernel modules`
			`- open network connections`

			`SQL tables are implemented via an easily extendable API. A bunch of tables already exist and more are constantly being written. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:`

			```sql
			`--------------------------------------------------------`
			`-- get the name, pid and attached port of all processes`
			`-- which are listening on all interfaces`
			`--------------------------------------------------------`
			`SELECT DISTINCT`
			`process.name,`
			`listening.port,`
			`process.pid`
			`FROM processes AS process`
			`JOIN listening_ports AS listening`
			`ON process.pid = listening.pid`
			`WHERE listening.address = '0.0.0.0';`
			```
			```sql
			`--------------------------------------------------------`
			`-- find every launchdaemon on an OS X host which`
			`-- * launches an executable when the operating`
			`-- system starts`
			`-- * keeps the executable running`
			`-- return the name of the launchdaemon and the full`
			`-- path (with arguments) of the executable to be ran.`
			`--------------------------------------------------------`
			`SELECT`
			`name,`
			`program \|\| program_arguments AS executable`
			`FROM launchd`
			`WHERE`
			`(run_at_load = 'true' AND keep_alive = 'true')`
			`AND`
			`(program != '' OR program_arguments != '');`
			```

			`These queries can be:`
			`- performed on an ad-hoc basis to explore operating system state`
			`- executed via a scheduler to monitor operating system state across a distributed set of hosts over time`
			`- launched from custom applications using osquery APIs`

Update README.md 2014-09-05 06:29:26 +00:00			`## Learn more`
instructions 2014-08-12 00:51:30 +00:00
Update README.md 2014-09-05 07:44:50 +00:00			`If you're interested in learning more about osquery, visit the [wiki](https://github.com/facebook/osquery/wiki).`