6481b34e23
Add a way to compile third-party libraries from source instead of downloading prebuilt ones. Each library source code is downloaded with git into a submodule at configure time, in response to the find_package(library_name) CMake call, except for OpenSSL where the official source archive is used. Each submodule is attached to a release tag on its own upstream repository. All the libraries are built using CMake directly, except for OpenSSL which uses a formula system, which permits to build libraries with a separate build system when there's no easy way to integrate it directly with CMake. This new dependency system determines which library is fetched from where using the concept of "layers". Currently we have three of them: source, formula, facebook, where the last layer represents the pre-built libraries. The provided order will be used when looking for libraries. A system to patch submodule source code has been added and it's currently used with googletest, libudev and util-linux. Patches should be put under libraries/cmake/source/<library name>/patches/<submodule>, where <submodule> is often one and is "src", but in other cases, like AWS, there are multiple with a more specific name. If for whatever reason the submodule cloning or the patching fails, the submodule has to be unregistered and its folder should be cleared. This should be achievable with "git submodule deinit -f <submodule path>" Following some other changes on existing functionality: - Changed the CMake variable BUILD_TESTING to OSQUERY_BUILD_TESTS to avoid enabling tests on third party libraries. Due to an issue with glog the BUILD_TESTING variable will be always forced to OFF. - Moved compiler and linker flags to their own file cmake/flags.cmake - Moved all the third-party CMakeLists.txt used for pre-built libraries under libraries/cmake/facebook - Added the --exclude-folders option to tools/format-check.py and tools/git-clang-format.py, so that it's possible to ignore any third party library source code. - The format and format_check target use the new --exclude-folders option to exclude libraries/cmake/source from formatting. - The test and osquery binaries are properly compiled with PIE (osquery/osquery#5611) Co-authored-by: Stefano Bonicatti <stefano.bonicatti@gmail.com> Co-authored-by: Teddy Reed <teddy@casualhacking.io> |
||
|---|---|---|
| .github | ||
| cmake | ||
| docs | ||
| libraries | ||
| mode | ||
| osquery | ||
| packs | ||
| plugins | ||
| specs | ||
| tests | ||
| third-party | ||
| tools | ||
| .buckconfig | ||
| .clang-format | ||
| .gitignore | ||
| .gitmodules | ||
| .watchmanconfig | ||
| azure-pipelines.yml | ||
| CMakeLists.txt | ||
| CODE_OF_CONDUCT.md | ||
| CODEOWNERS | ||
| CONTRIBUTING.md | ||
| Doxyfile | ||
| LICENSE | ||
| LICENSE-Apache-2.0 | ||
| LICENSE-GPL-2.0 | ||
| mkdocs.yml | ||
| README.md | ||
| SECURITY.md | ||
| SUPPORT.md | ||
| Vagrantfile | ||
osquery
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.
Available for Linux, macOS, Windows, and FreeBSD.
| Platform | Build status | |||
|---|---|---|---|---|
| MacOS 10.14 | Homepage: | https://osquery.io | ||
| Ubuntu 18.04 | Downloads: | https://osquery.io/downloads | ||
| Windows Server 2016 | Tables: | https://osquery.io/schema | ||
| FreeBSD 11 | N/A | Packs: | https://osquery.io/packs | |
| Guide: | https://osquery.readthedocs.org | |||
 |
https://osquery-slack.herokuapp.com |
What is osquery?
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
List the users:
SELECT * FROM users;
Check the processes that have a deleted executable:
SELECT * FROM processes WHERE on_disk = 0;
Get the process name, port, and PID, for processes listening on all interfaces:
SELECT DISTINCT processes.name, listening_ports.port, processes.pid
FROM listening_ports JOIN processes USING (pid)
WHERE listening_ports.address = '0.0.0.0';
Find every macOS LaunchDaemon that launches an executable and keeps it running:
SELECT name, program || program_arguments AS executable
FROM launchd
WHERE (run_at_load = 1 AND keep_alive = 1)
AND (program != '' OR program_arguments != '');
Check for ARP anomalies from the host's perspective:
SELECT address, mac, COUNT(mac) AS mac_count
FROM arp_cache GROUP BY mac
HAVING count(mac) > 1;
Alternatively, you could also use a SQL sub-query to accomplish the same result:
SELECT address, mac, mac_count
FROM
(SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
WHERE mac_count > 1;
These queries can be:
- performed on an ad-hoc basis to explore operating system state using the osqueryi shell
- executed via a scheduler to monitor operating system state across a set of hosts
- launched from custom applications using osquery Thrift APIs
Download & Install
To download the latest stable builds and for repository information and installation instructions visit https://osquery.io/downloads.
Build from source
Building osquery from source is encouraged! Check out our build guide.
Also check out our contributing guide and join the community on Slack.
License
By contributing to osquery you agree that your contributions will be licensed as defined on the LICENSE file.
Vulnerabilities
We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into SECURITY.md too.
Facebook has a bug bounty program that includes osquery. If you find a security vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue. For more information on finding vulnerabilities in osquery, see our blog post Bug Hunting osquery.
Learn more
If you're interested in learning more about osquery read the launch blog post for background on the project, visit the users guide.
Development and usage discussion is happening in the osquery Slack, grab an invite automatically here!