SQL powered operating system instrumentation, monitoring, and analytics.
Go to file
Filipe Manco 766634aa83
Add parent PID on process_events from openbsm (#4091)
* openbsm_events: Fix using wrong union element

* darwin: use macros to identify audit events

* darwin: Add parent info to proc events [1/3]

Rename subscriber class to a more generic name in preparation to make it
handling multiple process related events.

* darwin: Add parent info to proc events [2/3]

Refactor exec event handling into its own function in preparation to
make it handling multiple process related events.

* darwin: Add parent info to proc events [3/3]

Capture fork events to construct a map of parent child relationships. On
a exec look at the map to get the parent information. Use exit events to
garbage collect the map.
2018-01-31 15:20:43 +00:00
CMake deps: Improve native (non-deps) builds (#4060) 2018-01-14 20:14:40 -05:00
docs Use schema branch of website instead of master for raw data (#4082) 2018-01-25 08:09:36 -08:00
external external: Enable external applications through make external (#3023) 2017-02-26 17:38:01 -08:00
include/osquery tables: Remove ptree from table plugins (#4075) 2018-01-21 05:11:42 -05:00
kernel license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-18 16:04:06 -08:00
osquery Add parent PID on process_events from openbsm (#4091) 2018-01-31 15:20:43 +00:00
packs added IOCs to query for OSX_MaMi malware (#4055) 2018-01-12 20:34:31 -05:00
specs tables: Add cpu_microcode to system_info (#4028) 2018-01-20 20:24:09 -05:00
third-party@4ef099c31a deps: Build linenoise locally (third-party) (#4058) 2018-01-14 16:31:41 -05:00
tools Tools to generate table and package JSON for the new website (#4077) 2018-01-25 08:09:11 -08:00
.clang-format format: Remove Cpp restriction (#3521) 2017-08-02 10:32:12 -07:00
.gitignore audit-based file integrity monitoring (#3492) 2018-01-15 19:57:50 -08:00
.gitmodules removing lib submodule 2014-09-23 18:50:10 -07:00
.watchmanconfig watcher: Do not initialize the config in watcher (#3403) 2017-06-13 17:26:34 -07:00
CMakeLists.txt build: Fix OSQUERY_BUILD_SHARED linkage (#4062) 2018-01-14 23:08:36 -05:00
CONTRIBUTING.md license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-18 16:04:06 -08:00
COPYING license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-18 16:04:06 -08:00
Doxyfile Add clang-format rules from 3.6 (#2360) 2016-08-15 01:33:17 -07:00
LICENSE license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-18 16:04:06 -08:00
Makefile deps: Rebuild all dependencies for Darwin and Linux (v5) (#4025) 2018-01-04 23:05:21 -08:00
mkdocs.yml Various fixes and updates to the wiki (#2740) 2016-11-11 22:13:51 -08:00
osquery.thrift Add shutdown method to extensions (#2224) 2016-07-06 12:23:24 -07:00
README.md website: Upload dark version of logo for README (#4065) 2018-01-15 12:50:51 -05:00
requirements.txt deps: Build for thrift 0.11.0 (#4013) 2017-12-23 13:39:13 -08:00
SECURITY.md security: Update SECURITY.md with recent merges (#3787) 2017-10-04 17:28:06 -07:00
Vagrantfile vagrant: Add win10 target for Vagrant (#4040) 2018-01-10 09:52:31 -08:00

osquery

osquery logo

osquery is an operating system instrumentation framework for OS X/macOS, Windows, and Linux.
The tools make low-level operating system analytics and monitoring both performant and intuitive.

Platform Build status
macOS 10.12 Build Status Homepage: https://osquery.io
CentOS 6.x Build Status Downloads: https://osquery.io/downloads
CentOS 7.x Build Status Tables: https://osquery.io/schema
Ubuntu 14.04 Build Status Packs: https://osquery.io/packs
Ubuntu 16.04 Build Status Guide: https://osquery.readthedocs.org
Windows 2016 Build Status Slack Status https://osquery-slack.herokuapp.com
Windows 10 Build Status
FreeBSD 11 Build Status

There are many additional continuous build jobs that perform dynamic and static analysis, test the package build process, rebuild dependencies from source, assure deterministic build on macOS and Linux, fuzz test the virtual tables, and build on several other platforms not included above. Code safety, testing rigor, data integrity, and a friendly development community are our primary goals.

What is osquery?

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

List the users:

SELECT * FROM users;

Check the processes that have a deleted executable:

SELECT * FROM processes WHERE on_disk = 0;

Get the process name, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.name, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.address = '0.0.0.0';

Find every OS X LaunchDaemon that launches an executable and keeps it running:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != '');

Check for ARP anomalies from the host's perspective:

SELECT address, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING count(mac) > 1;

Alternatively, you could also use a SQL sub-query to accomplish the same result:

SELECT address, mac, mac_count
  FROM
    (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
  WHERE mac_count > 1;

These queries can be:

  • performed on an ad-hoc basis to explore operating system state using the osqueryi shell
  • executed via a scheduler to monitor operating system state across a set of hosts
  • launched from custom applications using osquery Thrift APIs

Downloads / Install

For latest stable builds for OS X (pkg) and Linux (deb/rpm), as well as yum and apt repository information visit https://osquery.io/downloads. Windows 10, 8, Server 2012 and 2016 packages are published to Chocolatey.

The list of supported platforms for running osquery is massive:

  • Apple OS X 10.10, 10.11, and macOS 10.12
  • Any 64bit Linux OS with glibc >= 2.13 and zlib >= 1.2
  • Windows 10, 8, Server 2012, and 2016

Building from source

Building osquery from source is encouraged! Check out the documentation to get started and join our developer community by giving us feedback in Github issues or submitting pull requests!

We officially support a subset of OS versions for building because it is rather intense.

  • Ubuntu 14.04 and 16.04, CentOS 6.5 and 7
  • Apple macOS 10.12
  • Windows 10 and Server 2016

File Integrity Monitoring (FIM)

osquery provides several FIM features too! Just as OS concepts are represented in tabular form, the daemon can track OS events and later expose them in a table. Tables like file_events or yara_events can be selected to retrieve buffered events.

The configuration allows you to organize files and directories for monitoring. Those sets can be paired with lists of YARA signatures or configured for additional monitoring such as access events.

Process and socket auditing

There are several forms of eventing in osquery along with file modifications and accesses. These range from disk mounts, network reconfigurations, hardware attach and detaching, and process starting. For a complete set review the table documentation and look for names with the _events suffix.

License

The osquery project is dual-licensed under Apache 2.0 and GPLv2. You may select, at your option, one of the these licenses.

Vulnerabilities

We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into SECURITY.md too.

Facebook has a bug bounty program that includes osquery. If you find a security vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue. For more information on finding vulnerabilities in osquery, see a recent blog post about bug-hunting osquery.

Learn more

Want to be a Security Engineer at Facebook? The osquery development team is hiring! Our team's mission is detect external and internal threats to users' data. We do that by building, deploying, and using intrusion detection tools like osquery. Check out our position description or reach out to @theopolis.

Read the launch blog post for background on the project. If you're interested in learning more about osquery, visit the users guide and browse our RFC-labeled Github issues. Development and usage discussion is happing in the osquery Slack, grab an invite automatically: https://osquery-slack.herokuapp.com/!