mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00

SQL powered operating system instrumentation, monitoring, and analytics.

Go to file

Mike Arpaia 892b89eb42 Merge pull request #278 from yannick/master add parenthesis for python3 compatibility		2014-10-29 15:24:23 -07:00
.idea	Support for CLion C/C++ IDE	2014-09-09 00:10:20 -07:00
CMake	checking for libraries	2014-09-23 19:44:58 -07:00
doxygen	updating docs header	2014-09-21 14:30:28 -07:00
include/osquery	[vtables] Support linux crontab vars	2014-10-29 02:24:00 -07:00
osquery	Fix clang format error	2014-10-29 10:43:32 -07:00
site	updating the username and repo [skip ci]	2014-10-28 19:32:24 -04:00
third-party@414ab7df32	updating third-party commit hash	2014-09-23 23:21:16 -07:00
tools	add parenthesis for python3 compatibility	2014-10-29 22:37:54 +01:00
.clang-format	Using Cpp03 to remove double right angle brackets	2014-10-27 17:56:55 -07:00
.gitignore	Clean flags usage in daemon/shell and dbhandle	2014-10-27 12:09:35 -07:00
.gitmodules	removing lib submodule	2014-09-23 18:50:10 -07:00
.travis.yml	Fixed Mac broken build and added building capabilities for Linux	2014-10-02 23:25:39 +00:00
CMakeLists.txt	moving make format to cmake	2014-09-23 23:38:23 -07:00
CONTRIBUTING.md	contributing docs	2014-10-09 18:39:00 -07:00
Doxyfile	update include paths	2014-09-15 23:52:31 -07:00
LICENSE	legal stuff	2014-10-07 00:07:32 -07:00
Makefile	Changing flag infra, reducing config testing, adding debug macro	2014-10-27 10:30:02 -07:00
osquery.supp	cleaning up some memory leak supps	2014-10-09 22:06:55 -07:00
PATENTS	legal stuff	2014-10-07 00:07:32 -07:00
README.md	Update README.md	2014-10-29 11:18:35 -07:00
requirements.txt	Initial commit	2014-07-30 17:35:19 -07:00
Vagrantfile	Deb package creation for Ubuntu	2014-09-23 17:03:30 -07:00

README.md

osquery

osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as

running processes
loaded kernel modules
open network connections

SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.

To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

--------------------------------------------------------
-- get the name, pid and attached port of all processes 
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT 
  process.name, 
  listening.port, 
  process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';

--------------------------------------------------------
-- find every launchdaemon on an OS X host which 
--   * launches an executable when the operating 
--     system starts
--   * keeps the executable running 
-- return the name of the launchdaemon and the full 
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT 
  name, 
  program || program_arguments AS executable 
FROM launchd 
WHERE 
  (run_at_load = 'true' AND keep_alive = 'true') 
AND 
  (program != '' OR program_arguments != '');

These queries can be:

performed on an ad-hoc basis to explore operating system state
executed via a scheduler to monitor operating system state across a distributed set of hosts over time
launched from custom applications using osquery APIs

Learn more

Read the launch blog post for background on the project.

If you're interested in learning more about osquery, visit the wiki.