[MacTUG] OSQuery: Explore your OS with SQL
Mike Patterson
mpatterson at uwaterloo.ca
Tue Jul 28 10:32:58 EDT 2015
OSQuery is gaining vogue in the incident response community, although those communities always seem to assume that the incident responder is part of a single organisation which has complete control over servers and client endpoints, so I've been reluctant to spend precious free time on it.
I'd be *very* interested in hearing about the experiences of anybody here who does shake loose some round tuits though!
Mike
--
Believe those who are seeking the truth. Doubt those who find it.
- Andre Gide
> On Jul 28, 2015, at 10:10 AM, Marlon A. Griffith <m3griffi at uwaterloo.ca> wrote:
>
> """
> I wonât regurgitate their announcement post â for implementation details see there. In a nutshell, OSQuery pretends to be a relational database and contains some âtablesâ (tables in quotes because they donât actually exist as tables youâre used to in, for example, MySQL) which expose the OS data in a manner that makes it queryable by SQL statements (yes, including joins and the whole lot!).
>
> If you ever ran into a situation where you couldnât run Apache because a port was already taken and you had to go and grep the process list, only to find out a dead instance of Skype is hogging port 80, youâll know to appreciate the simplicity of OSQuery.
>
> OSQuery works on CentOS, Ubuntu, and OS X, thus supporting your production servers, your development playbox, and the operating systems of any other machine you have access to, like your childrenâs or your employeesâs â allowing you to use it to monitor the OS status of your entire ecosystem. Itâs fully open source, and thereâs even a guide on creating your own tables, in case some are missing and you need them. The team is adding new tables regularly, so even if you donât feel like contributing but still want to use some missing ones, thereâs a high chance theyâll pop up if you give it some time.
>
> The software is installed via (currently) self-built packages for all supported operating systems, and comes with osqueryi â an interactive console for playing around with the queries â and osqueryd â a daemon you can schedule to run regularly and aggregate data across monitored machines, for example. The documentation is very good, so conquering every aspect of OSQuery is as simple as dedicating an afternoon to it.
>
> http://www.sitepoint.com/osquery-explore-os-sql/
> """
>
> mac os x
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug
More information about the MacTUG
mailing list