OSquery- SQL Powered Working System Instrumentation, Monitoring And Analytics

OSQuery- SQL Powered Working System Instrumentation, Monitoring And Analytics

osquery is a SQL powered working system instrumentation, monitoring, and analytics framework.
Accessible for Linux, macOS, Home windows and FreeBSD.

What’s osquery?

osquery exposes an working system as a high-performance relational database. This lets you write SQL-based queries to discover working system information. With osquery, SQL tables signify summary ideas comparable to operating processes, loaded kernel modules, open community connections, browser plugins, {hardware} occasions or file hashes.

SQL tables are applied by way of a easy plugin and extensions API. A wide range of tables exist already and extra are being written: https://osquery.io/schema.

To greatest perceive the expressiveness that’s afforded to you by osquery, think about the next SQL queries:

Record the customers:


SELECT * FROM customers;

Test the processes which have a deleted executable:


SELECT * FROM processes WHERE on_disk = 0;

Get the method title, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.title, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.handle = ‘0.0.0.0’;

Discover each macOS LaunchDaemon that launches an executable and retains it operating:

SELECT title, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != ” OR program_arguments != ”);

Test for ARP anomalies from the host’s perspective:

SELECT handle, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING depend(mac) > 1;

Alternatively, you can additionally use a SQL sub-query to perform the identical end result:

SELECT handle, mac, mac_count
  FROM
    (SELECT handle, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
  WHERE mac_count > 1;

These queries could be:

• Carried out on an ad-hoc foundation to discover working system state utilizing the osqueryi shell
• Executed by way of a scheduler to watch working system state throughout a set of hosts
• Launched from customized functions utilizing osquery Thrift APIs