| .idea | ||
| CMake | ||
| doxygen | ||
| include/osquery | ||
| kernel/linux | ||
| osquery | ||
| site | ||
| third-party@efad11ba36 | ||
| tools | ||
| .clang-format | ||
| .gitignore | ||
| .gitmodules | ||
| CMakeLists.txt | ||
| CONTRIBUTING.md | ||
| Doxyfile | ||
| LICENSE | ||
| Makefile | ||
| osquery.thrift | ||
| PATENTS | ||
| README.md | ||
| requirements.txt | ||
| TARGETS | ||
| Vagrantfile | ||
osquery
| Platform | Build status |
|---|---|
| OS X 10.10 | |
| CentOS 6.5 | |
| CentOS 7.0 | |
| Ubuntu 12.04 LTS | |
| Ubuntu 14.04 LTS |
osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as
- running processes
- loaded kernel modules
- open network connections
SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.
To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
--------------------------------------------------------
-- get the name, pid and attached port of all processes
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT
process.name,
listening.port,
process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';
--------------------------------------------------------
-- find every launchdaemon on an OS X host which
-- * launches an executable when the operating
-- system starts
-- * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT
name,
program || program_arguments AS executable
FROM launchd
WHERE
(run_at_load = 'true' AND keep_alive = 'true')
AND
(program != '' OR program_arguments != '');
These queries can be:
- performed on an ad-hoc basis to explore operating system state
- executed via a scheduler to monitor operating system state across a distributed set of hosts over time
- launched from custom applications using osquery APIs
Install
OS X
The easiest way to install osquery on OS X is via Homebrew. Check the Homebrew homepage for installation instructions.
Run the following:
brew update
brew install osquery
To update osquery:
brew update
brew upgrade osquery
Linux
We don't currently supply pre-built osquery packages for Linux. We do, however, provide Vagrant VMs which allow you to easily create packages for Ubuntu 12.04+ and CentOS 6.5. Check out the wiki's installation guide for more information.
If you're trying to build osquery on a different, currently unsupported operating system, please refer to the building the code guide for help.
Vulnerabilities
Facebook has a bug bounty program which osquery participates in. If you find a vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue.
For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery: https://www.facebook.com/notes/facebook-bug-bounty/bug-hunting-osquery/954850014529225
Learn more
Read the launch blog post for background on the project.
If you're interested in learning more about osquery, visit the wiki.