SQL powered operating system instrumentation, monitoring, and analytics.
Go to file
Mike Arpaia 0cc4e0a287 Merge pull request #696 from marpaia/fix-695
ignore ds_store on table generation
2015-02-02 14:43:42 -08:00
.idea Support for CLion C/C++ IDE 2014-09-09 00:10:20 -07:00
CMake Add libglog to OBJCXX targets 2015-01-21 23:43:50 -07:00
doxygen updating docs header 2014-09-21 14:30:28 -07:00
include/osquery Add getQueryColumns function to core 2015-02-02 10:11:00 -08:00
kernel/linux Function doc return value clarity 2014-12-20 21:42:00 -08:00
osquery Add getQueryColumns function to core 2015-02-02 10:11:00 -08:00
site Updating the license comment to be the correct open source header 2014-12-18 10:52:55 -08:00
third-party@efad11ba36 Remove installed unwind headers 2015-01-10 20:38:31 -07:00
tools ignore ds_store on table generation 2015-02-02 12:58:37 -08:00
.clang-format Remove clang-format parameters that break clang-format 3.4 2014-11-03 10:12:12 -08:00
.gitignore Add -s flag to OSX package script 2014-12-04 09:33:04 -08:00
.gitmodules removing lib submodule 2014-09-23 18:50:10 -07:00
CMakeLists.txt Clang analyze fixups for Linux 2015-02-01 05:10:57 -07:00
CONTRIBUTING.md Update CONTRIBUTING.md 2014-12-06 12:35:02 -08:00
Doxyfile update include paths 2014-09-15 23:52:31 -07:00
LICENSE legal stuff 2014-10-07 00:07:32 -07:00
Makefile Add make sanitize 2015-01-31 03:26:28 -08:00
PATENTS legal stuff 2014-10-07 00:07:32 -07:00
README.md Adding whitehat information to README 2015-01-15 13:59:46 -08:00
requirements.txt [tools] Performance monitoring tooling 2014-11-06 17:37:26 -08:00
TARGETS Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Vagrantfile Install gmake while provision, later build process depends on it 2014-11-19 17:58:16 +08:00

osquery

Platform Build status
OS X 10.10 Build Status
CentOS 6.6 Build Status
Ubuntu 12.04 LTS Build Status
Ubuntu 14.04 LTS Build Status

osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as

  • running processes
  • loaded kernel modules
  • open network connections

SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.

To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

--------------------------------------------------------
-- get the name, pid and attached port of all processes
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT
  process.name,
  listening.port,
  process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';
--------------------------------------------------------
-- find every launchdaemon on an OS X host which
--   * launches an executable when the operating
--     system starts
--   * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT
  name,
  program || program_arguments AS executable
FROM launchd
WHERE
  (run_at_load = 'true' AND keep_alive = 'true')
AND
  (program != '' OR program_arguments != '');

These queries can be:

  • performed on an ad-hoc basis to explore operating system state
  • executed via a scheduler to monitor operating system state across a distributed set of hosts over time
  • launched from custom applications using osquery APIs

Install

OS X

The easiest way to install osquery on OS X is via Homebrew. Check the Homebrew homepage for installation instructions.

Run the following:

brew update
brew install osquery

To update osquery:

brew update
brew upgrade osquery

Linux

We don't currently supply pre-built osquery packages for Linux. We do, however, provide Vagrant VMs which allow you to easily create packages for Ubuntu 12.04+ and CentOS 6.5. Check out the wiki's installation guide for more information.

If you're trying to build osquery on a different, currently unsupported operating system, please refer to the building the code guide for help.

Vulnerabilities

Facebook has a bug bounty program which osquery participates in. If you find a vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue.

For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery: https://www.facebook.com/notes/facebook-bug-bounty/bug-hunting-osquery/954850014529225

Learn more

Read the launch blog post for background on the project.

If you're interested in learning more about osquery, visit the wiki.