osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.
Available for Linux, macOS, Windows, and FreeBSD.
Information and resources
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
SELECT * FROM users;
processes that have a deleted executable:
SELECT * FROM processes WHERE on_disk = 0;
Get the process name, port, and PID, for processes listening on all interfaces:
SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';
Find every macOS LaunchDaemon that launches an executable and keeps it running:
SELECT name, program || program_arguments AS executable FROM launchd WHERE (run_at_load = 1 AND keep_alive = 1) AND (program != '' OR program_arguments != '');
Check for ARP anomalies from the host's perspective:
SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;
Alternatively, you could also use a SQL sub-query to accomplish the same result:
SELECT address, mac, mac_count FROM SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac) (WHERE mac_count > 1;
These queries can be:
To download the latest stable builds and for repository information and installation instructions visit https://osquery.io/downloads.
Building osquery from source is encouraged! Check out our build guide. Also check out our contributing guide and join the community on Slack.
By contributing to osquery you agree that your contributions will be licensed as defined on the LICENSE file.
We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into SECURITY.md too.
Facebook has a bug bounty program that includes osquery. If you find a security vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue. For more information on finding vulnerabilities in osquery, see our blog post Bug Hunting osquery.
The osquery documentation is available online. Documentation for older releases can be found by version number, as well.
If you're interested in learning more about osquery read the launch blog post for background on the project, visit the users guide.
Development and usage discussion is happening in the osquery Slack, grab an invite here!