osquery

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.
Available for Linux, macOS, Windows, and FreeBSD.

Information and resources

Homepage: https://osquery.io
Downloads: https://osquery.io/downloads
Documentation: https://osquery.readthedocs.org
Stack Overflow: https://stackoverflow.com/questions/tagged/osquery
Table Schema: https://osquery.io/schema
Query Packs: https://osquery.io/packs
Slack:
Build Status:
CII Best Practices:

What is osquery?

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

List the users:

SELECT * FROM users;

Check the processes that have a deleted executable:

SELECT * FROM processes WHERE on_disk = 0;

Get the process name, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.name, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.address = '0.0.0.0';

Find every macOS LaunchDaemon that launches an executable and keeps it running:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != '');

Check for ARP anomalies from the host's perspective:

SELECT address, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING count(mac) > 1;

Alternatively, you could also use a SQL sub-query to accomplish the same result:

SELECT address, mac, mac_count
  FROM
    (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
  WHERE mac_count > 1;

These queries can be:

performed on an ad-hoc basis to explore operating system state using the osqueryi shell
executed via a scheduler to monitor operating system state across a set of hosts
launched from custom applications using osquery Thrift APIs

Download & Install

To download the latest stable builds and for repository information and installation instructions visit https://osquery.io/downloads.

Build from source

Building osquery from source is encouraged! Check out our build guide. Also check out our contributing guide and join the community on Slack.

License

By contributing to osquery you agree that your contributions will be licensed as defined on the LICENSE file.

Vulnerabilities

We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into SECURITY.md too.

Learn more

The osquery documentation is available online. Documentation for older releases can be found by version number, as well.

If you're interested in learning more about osquery read the launch blog post for background on the project, visit the users guide.

Development and usage discussion is happening in the osquery Slack, grab an invite here!

Name	Latest commit message	Commit time
Failed to load latest commit information.
.github	First steps to remove the Buck build system (#6361 )	Apr 8, 2020
cmake	Drop the facebook and source_migration layers (#6473 )	Jun 1, 2020
docs	Update documentation to use 'allow list' and 'deny list' diction (#6489 )	Jun 6, 2020
external	CMake: Improvements to extensions support (#5970 )	Oct 31, 2019
libraries	Actually use the patched libelfin version (#6480 )	Jun 5, 2020
osquery	Update documentation to use 'allow list' and 'deny list' diction (#6489 )	Jun 6, 2020
packs	Update documentation to use 'allow list' and 'deny list' diction (#6489 )	Jun 6, 2020
plugins	Link librdkafka on windows (#6454 )	Jun 1, 2020
specs	Use 'denylist' instead of 'blacklist' in query scheduling (#6487 )	Jun 6, 2020
tests	Add validate_container_rows helper for integration tests (#6485 )	Jun 6, 2020
tools	Use 'denylist' instead of 'blacklist' in query scheduling (#6487 )	Jun 6, 2020
.artifactignore	Add sccache to the Windows job (#6231 )	Feb 6, 2020
.buckconfig	Move build system to BUCK	Dec 7, 2018
.clang-format	format: Remove Cpp restriction (#3521 )	Aug 2, 2017
.gitignore	First steps to remove the Buck build system (#6361 )	Apr 8, 2020
.gitmodules	libs: Update the bzip2 remote URL (#6296 )	Mar 12, 2020
.readthedocs.yml	docs: Update .readthedocs.yml to use version 2 (#6456 )	May 21, 2020
.watchmanconfig	watcher: Do not initialize the config in watcher (#3403 )	Jun 14, 2017
CHANGELOG.md	release: updating changelog for 4.3.0 release (#6387 )	Apr 14, 2020
CMakeLists.txt	Drop the facebook and source_migration layers (#6473 )	Jun 1, 2020
CODEOWNERS	Initial codeowners (#5603 )	Jun 26, 2019
CODE_OF_CONDUCT.md	Point CODE_OF_CONDUCT at osquery/foundation (#5721 )	Aug 27, 2019
CONTRIBUTING.md	Add the TSC to the contributing file (#6253 )	Feb 20, 2020
Doxyfile	Add clang-format rules from 3.6 (#2360 )	Aug 15, 2016
LICENSE	Clarify licensing (#4792 )	Aug 2, 2018
LICENSE-Apache-2.0	Clarify licensing (#4792 )	Aug 2, 2018
LICENSE-GPL-2.0	Clarify licensing (#4792 )	Aug 2, 2018
README.md	docs: Update .readthedocs.yml to use version 2 (#6456 )	May 21, 2020
SECURITY.md	docs: Update osquery security policy (#6425 )	May 9, 2020
SUPPORT.md	Improve SUPPORT.md (#4835 )	Aug 8, 2018
Vagrantfile	Prune Vagrant boxes and fix AWS support (#5819 )	Sep 22, 2019
azure-pipelines.yml	Implement container access from tables on Linux	Apr 20, 2020
mkdocs.yml	docs: Update .readthedocs.yml to use version 2 (#6456 )	May 21, 2020

osquery / osquery

Join GitHub today

Clone with HTTPS

Downloading

Launching GitHub Desktop

Launching GitHub Desktop

Launching Xcode

Launching Visual Studio

Latest commit

Files

README.md