SQL powered operating system instrumentation, monitoring, and analytics.
Go to file
2014-12-30 18:21:00 -05:00
.idea Support for CLion C/C++ IDE 2014-09-09 00:10:20 -07:00
CMake checking for libraries 2014-09-23 19:44:58 -07:00
doxygen updating docs header 2014-09-21 14:30:28 -07:00
include/osquery Merge branch 'master' of github.com:facebook/osquery into 520_pt_json_workaround 2014-12-20 18:24:33 -08:00
kernel/linux Function doc return value clarity 2014-12-20 21:42:00 -08:00
osquery resolve merge conflict with upstream 2014-12-30 18:21:00 -05:00
site Updating the license comment to be the correct open source header 2014-12-18 10:52:55 -08:00
third-party@414ab7df32 updating third-party commit hash 2014-09-23 23:21:16 -07:00
tools resolve merge conflict with upstream 2014-12-30 18:21:00 -05:00
.clang-format Remove clang-format parameters that break clang-format 3.4 2014-11-03 10:12:12 -08:00
.gitignore Add -s flag to OSX package script 2014-12-04 09:33:04 -08:00
.gitmodules removing lib submodule 2014-09-23 18:50:10 -07:00
CMakeLibs.txt Support 'make libosquery' for a wrappable so/dylib 2014-12-27 23:14:34 -08:00
CMakeLists.txt Cleanup cmake files 2014-12-27 22:55:08 -08:00
CONTRIBUTING.md Update CONTRIBUTING.md 2014-12-06 12:35:02 -08:00
Doxyfile update include paths 2014-09-15 23:52:31 -07:00
LICENSE legal stuff 2014-10-07 00:07:32 -07:00
Makefile Whitespace cleanup 2014-11-17 04:29:50 +08:00
osquery.supp cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
PATENTS legal stuff 2014-10-07 00:07:32 -07:00
README.md Update README.md 2014-11-24 08:56:56 -08:00
requirements.txt [tools] Performance monitoring tooling 2014-11-06 17:37:26 -08:00
TARGETS Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Vagrantfile Install gmake while provision, later build process depends on it 2014-11-19 17:58:16 +08:00

osquery

Platform Build status
OS X 10.10 Build Status
CentOS 6.6 Build Status
Ubuntu 12.04 LTS Build Status
Ubuntu 14.04 LTS Build Status

osquery is an operating system instrumentation framework for OSX and Linux. osquery makes low-level operating system analytics and monitoring both performant and intuitive.

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as

  • running processes
  • loaded kernel modules
  • open network connections

SQL tables are implemented via an easily extendable API. A variety of tables already exist and more are being written.

To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

--------------------------------------------------------
-- get the name, pid and attached port of all processes
-- which are listening on all interfaces
--------------------------------------------------------
SELECT DISTINCT
  process.name,
  listening.port,
  process.pid
FROM processes AS process
JOIN listening_ports AS listening
ON process.pid = listening.pid
WHERE listening.address = '0.0.0.0';
--------------------------------------------------------
-- find every launchdaemon on an OS X host which
--   * launches an executable when the operating
--     system starts
--   * keeps the executable running
-- return the name of the launchdaemon and the full
-- path (with arguments) of the executable to be ran.
--------------------------------------------------------
SELECT
  name,
  program || program_arguments AS executable
FROM launchd
WHERE
  (run_at_load = 'true' AND keep_alive = 'true')
AND
  (program != '' OR program_arguments != '');

These queries can be:

  • performed on an ad-hoc basis to explore operating system state
  • executed via a scheduler to monitor operating system state across a distributed set of hosts over time
  • launched from custom applications using osquery APIs

Install

OS X

The easiest way to install osquery on OS X is via Homebrew. Check the Homebrew homepage for installation instructions.

Run the following:

brew update
brew install osquery

To update osquery:

brew update
brew upgrade osquery

Linux

We don't currently supply pre-built osquery packages for Linux. We do, however, provide Vagrant VMs which allow you to easily create packages for Ubuntu 12.04+ and CentOS 6.5. Check out the wiki's installation guide for more information.

If you're trying to build osquery on a different, currently unsupported operating system, please refer to the building the code guide for help.

Learn more

Read the launch blog post for background on the project.

If you're interested in learning more about osquery, visit the wiki.