It’s installed on every laptop (chrome books and MacBooks), and I believe on every EC2 instance, and they have nothing but good things to say about it. We did have to come up with an aggregator solution for storing the results of the queries, but I’m under the impression that it wasn’t too big of a lift.
https://www.linuxfoundation.org/press-release/2019/06/the-li...
We have been a big part of the Osquery community for a while and we think it's an awesome project that can be used to get an insane level of visibility across your fleet. We also think in the context of rolling this out to end-users, companies need to really consider the privacy implications of the data Osquery is capable of collecting.
To that end, we soft-launched a product in May that helps fast growing tech companies use tools like Osquery to implement something called User Focused Security. User Focused Security involves treating employees like adults and understanding the context in which they work before rolling out a security strategy.
We want to be the best choice for organizations that want to get serious about the security of their laptops but don't want to lock-down devices, violate their user's privacy, or hurt their internal culture with opaque surveillance.
The three values that we use to build our software:
1. User Education over Enforcement
2. Trust through Transparency
3. Quality conclusions over Quantity of data
We use Osquery because it helps us fulfill that second value by giving end-users visibility into what is running on their device.
If your team uses Slack and want to see our approach you should check us out at https://kolide.com
CMake, clang-format, watchman
The code looks beautiful, examaple: https://github.com/osquery/osquery/blob/master/osquery/files...
> https://github.com/osquery/osquery/blob/master/LICENSE > If you're using osquery you are free to choose one of the provided licenses.
If GPLv2 is optional, then why have it all? (To give the user flexibility since GPLv2 isn't forward compatible to from Apache2)
A simpler license w/ a separate patent exception would give the user choice, a forker could "upcast" to any forward-compatible license.
There is apparently a standard[2] for exposing operating system objects into a schema that can have a standard query.
I don't think I've ever seen any common monitoring projects built using WMI/WBEM at their core ...
[1]: https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-...
[2]: https://stackoverflow.com/questions/921617/is-there-somethin...
I've used osquery a few times on my personal laptop (this post reminds me to try to get the company I work in to adopt it!) and for me it was one of the bigger inspirations for creating OctoSQL[1] as a means for such tools to interoperate.
It is just plausible enough to be imaginable. Everything is a table! Write applications using only SQL statements!
The olde PalmOS had databases as primary storage. Though databases seem to have had capacity for blobs, since apps themselves were stored that way, aside from text files, images and whatnot.
In fact, afaik some mainframe OSes were built around databases.
>WinFS includes a relational database for storage of information, and allows any type of information to be stored in it, provided there is a well defined schema for the type. Individual data items could then be related together by relationships, which are either inferred by the system based on certain attributes or explicitly stated by the user. As the data has a well defined schema, any application can reuse the data; and using the relationships, related data can be effectively organized as well as retrieved. Because the system knows the structure and intent of the information, it can be used to make complex queries that enable advanced searching through the data and aggregating various data items by exploiting the relationships between them.
From what I heard, it was slow, and devs just were not that interested in some clean schema based interface because it complicated their ability to ship; interesting that the modern approach seems to also favor schema on write.
The AS400 operating system had SQL as a key part of the core functionality.
So there is that.
I'm currently in a situation in which I'd love to use osquery which is why I tried it out a few month ago.
Sadly, there wasn't any inbuilt multi-node/cluster functionality to speak of.
I gave up on it as it's utility is pretty low if you're constrained to localhost queries... And the third party "cluster" tools looked pretty barebones and seemed a hassle to setup. And not even really useful, as they just enable you too execute queries on several nodes.
I would want to do queries across servers. (I.e. select load,uptime, hostname where servertype "worker" and kernelversion "3.4")
there was very little value for me which I could already get with an adhoc Ansible task on my servers
- https://github.com/kolide/fleet - https://github.com/mwielgoszewski/doorman - https://github.com/zentralopensource/zentral
Then there are a few freemium:
- https://www.zercurity.com/ (Shameless plug - free for as long as you like) - https://kolide.com/ (Though no SQL interface anymore) - https://www.uptycs.com/ (Free trial)
Hope that helps. I'm sure there are a few others.
However compared to a central metric system that can aggregate metrics across all the hosts, its use quickly becomes less important.
Also there are some CPU considerations, as OSQuery is not as lightweight as other metrics gather tools. Several times I've ran into OSQuery interfering with the actual application, competing for resources. So if you do run it, make to renice it to mitigate this, especially if you're running time-sensitive apps like video/audio.
I'd like something that integrates canned DTrace/eBPF scripts, along with authorization (some canned scripts might leak sensitive data). Really, a bit of an idempotent, extensible, remote OS observability protocol.
[0] https://en.wikipedia.org/wiki/Windows_Management_Instrumenta...
Thought of writing such an util myself, actually, though not with SQL.
My other usecase is netstat working different on Linux and macOS, so I alias an osqueryi command on macOS to show me which process opens which port.
It sounds like a really interesting idea to me.
I was disappointed that Microsoft attempt at a relational database was it Win FS failed. Not that I use Windows, but it also seemed to kill the open source attempts at doing something similar.