Our security team uses this, we’re about 1500 employees. However, I believe they opted to use a fork over this linked version, citing (IIRC) that Facebook’s roadmap for this project was a little bit too unpredictable, and that they weren’t responsive to PRs and community requests. I think we went with <a href="https://github.com/osql/osql" rel="nofollow">https://github.com/osql/osql</a>.<p>It’s installed on every laptop (chrome books and MacBooks), and I <i>believe</i> on every EC2 instance, and they have nothing but good things to say about it. We did have to come up with an aggregator solution for storing the results of the queries, but I’m under the impression that it wasn’t too big of a lift.
Kolide's CEO here! (<a href="https://kolide.com" rel="nofollow">https://kolide.com</a>)<p>We have been a big part of the Osquery community for a while and we think it's an awesome project that can be used to get an insane level of visibility across your fleet. We also think in the context of rolling this out to end-users, companies need to really consider the privacy implications of the data Osquery is capable of collecting.<p>To that end, we soft-launched a product in May that helps fast growing tech companies use tools like Osquery to implement something called User Focused Security. User Focused Security involves treating employees like adults and understanding the context in which they work before rolling out a security strategy.<p>We want to be the best choice for organizations that want to get serious about the security of their laptops but don't want to lock-down devices, violate their user's privacy, or hurt their internal culture with opaque surveillance.<p>The three values that we use to build our software:<p>1. User Education over Enforcement<p>2. Trust through Transparency<p>3. Quality conclusions over Quantity of data<p>We use Osquery because it helps us fulfill that second value by giving end-users visibility into what is running on their device.<p>If your team uses Slack and want to see our approach you should check us out at <a href="https://kolide.com" rel="nofollow">https://kolide.com</a>
Amazing<p>CMake, clang-format, watchman<p>The code looks beautiful, examaple: <a href="https://github.com/osquery/osquery/blob/master/osquery/filesystem/posix/fileops.cpp" rel="nofollow">https://github.com/osquery/osquery/blob/master/osquery/files...</a><p>> <a href="https://github.com/osquery/osquery/blob/master/LICENSE" rel="nofollow">https://github.com/osquery/osquery/blob/master/LICENSE</a>
> If you're using osquery you are free to choose one of the provided licenses.<p>If GPLv2 is optional, then why have it all? (To give the user flexibility since GPLv2 isn't forward compatible to from Apache2)<p>A simpler license w/ a separate patent exception would give the user choice, a forker could "upcast" to any forward-compatible license.
Something like this already exists for Windows[1]<p>There is apparently a standard[2] for exposing operating system objects into a schema that can have a standard query.<p>I don't think I've ever seen any common monitoring projects built using WMI/WBEM at their core ...<p>[1]: <a href="https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-wmi" rel="nofollow">https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-...</a><p>[2]: <a href="https://stackoverflow.com/questions/921617/is-there-something-like-wmi-for-linux" rel="nofollow">https://stackoverflow.com/questions/921617/is-there-somethin...</a>
I love the idea of providing various functionality under a sql interface. Sure sometimes it doesn't fit, but overall it's one of the better lowest common denominators I've met so far.<p>I've used osquery a few times on my personal laptop (this post reminds me to try to get the company I work in to adopt it!) and for me it was one of the bigger inspirations for creating OctoSQL[1] as a means for such tools to interoperate.<p>[1]:<a href="https://github.com/cube2222/octosql/" rel="nofollow">https://github.com/cube2222/octosql/</a>
Am I the only person who read "SQL-powered operating system"?<p>It is just plausible enough to be imaginable. Everything is a table! Write applications using only SQL statements!
I stil remember the initial announcement of this years ago... I wasn't able to use it back then but saved it for later.<p>I'm currently in a situation in which I'd love to use osquery which is why I tried it out a few month ago.<p>Sadly, there wasn't any inbuilt multi-node/cluster functionality to speak of.<p>I gave up on it as it's utility is pretty low if you're constrained to localhost queries... And the third party "cluster" tools looked pretty barebones and seemed a hassle to setup. And not even really useful, as they just enable you too execute queries on several nodes.<p>I would want to do queries across servers. (I.e. select load,uptime, hostname where servertype "worker" and kernelversion "3.4")<p>there was very little value for me which I could already get with an adhoc Ansible task on my servers
OSQuery is pretty powerful and the SQL-like query makes it easier to correlate various system metrics in 1 step.<p>However compared to a central metric system that can aggregate metrics across all the hosts, its use quickly becomes less important.<p>Also there are some CPU considerations, as OSQuery is not as lightweight as other metrics gather tools. Several times I've ran into OSQuery interfering with the actual application, competing for resources. So if you do run it, make to renice it to mitigate this, especially if you're running time-sensitive apps like video/audio.
WEBM/WMI/CIM[0] exist already.<p>I'd like something that integrates canned DTrace/eBPF scripts, along with authorization (some canned scripts might leak sensitive data). Really, a bit of an idempotent, extensible, remote OS observability protocol.<p>[0] <a href="https://en.wikipedia.org/wiki/Windows_Management_Instrumentation" rel="nofollow">https://en.wikipedia.org/wiki/Windows_Management_Instrumenta...</a>
The Linux kernel already has a pretty good API available via file nodes. And there are other lightweight tools to gather and parse information. Not sure I understand the benefits of exposing it through SQL, but I know some people are obsessed with SQL.