Osquery: Expose the operating system as a relational database

533 pointsby jamesgpearceover 10 years ago

42 comments

ibdknoxover 10 years ago

This is really interesting and very cool to see. The approach we're taking with Eve (gory details at [1]) is that you can treat everything as relational and doing so provides lots of benefits. One thing that wasn't clear though, was how you extend that notion down into the OS-level for both performance and semantic reasons. It's encouraging to see someone with requirements as deep as facebook's find that this strategy works in that context.The next step would be manipulating the OS as relations. E.g. an insert into the process table allows you to actually spawn a process. It would start to get really interesting from there...[1]: <a href="http://incidentalcomplexity.com/2014/10/16/retrospective/" rel="nofollow">http://incidentalcomplexity.com/2014/10/16/retrospective/</a>

评论 #8528976 未加载

评论 #8529285 未加载

评论 #8529583 未加载

评论 #8531550 未加载

zwischenzugover 10 years ago

Available as a docker image:<pre><code> docker run -t -i imiell/osquery /bin/bash root@81fbc2076e1c/# osqueryi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. osquery> select * from processes; +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ | name | path | cmdline | pid | on_disk | wired_size | resident_size | phys_footprint | user_time | system_time | start_time | parent | +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ | bash | | /bin/bash | 1 | -1 | | 1764 | 18276 | 17 | 18 | 95476444 | 0 | | osqueryi | /usr/local/bin/osqueryi | osqueryi | 19380 | 1 | | 4312 | 110652 | 225 | 327 | 96321589 | 1 | +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ osquery></code></pre>

评论 #8530664 未加载

评论 #8530581 未加载

MrBuddyCasinoover 10 years ago

Cool, so basically it brings something like WQL to nix, because this is something that exists in Windows already:<pre><code> SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 2097152</code></pre>

评论 #8528698 未加载

评论 #8529252 未加载

peterwwillisover 10 years ago

It's hard for me to grok this project's design goals. I mean, the basic idea is simple enough to understand: I want to run SQL queries on metadata about my hosts. I've built and run several different iterations of that same idea, but they didn't require thousands of lines of C++.The usual implementation is simple: take any host monitor (say, collectd) that can export key/value pairs from a host, or take a log stream over the network and pair it with a host monitor/log scraper to create key/value pairs. Then insert into an SQL engine while appending to a log for a historical record (or PTA/PITR/whatever, i'm not a DBA). Separately you can create a database application to query/modify the database as needed.But we're talking like, a handful of python scripts that don't ever change except to add new search features. This seems like a big departure from the simplicity of that approach. Am I missing something?

评论 #8530250 未加载

gooseyardover 10 years ago

Akamai has been using a system like this since 1999 or so, nicely documented in this presentation to LISA some years ago:<a href="http://www.akamai.com/dl/technical_publications/lisa_2010.pdf" rel="nofollow">http://www.akamai.com/dl/technical_publications/lisa_2010.pd...</a>

asbover 10 years ago

There was a paper at EuroSys this year "Relational access to Unix kernel data structures" which seems to attempt to offer similar functionality. A comparison between the two would be interesting.HTML version of the paper here: <a href="http://www.dmst.aueb.gr/dds/pubs/conf/2014-EuroSys-PicoQL-kernel/html/FSLB14.html" rel="nofollow">http://www.dmst.aueb.gr/dds/pubs/conf/2014-EuroSys-PicoQL-ke...</a> Paywalled version: <a href="http://dl.acm.org/citation.cfm?id=2592802" rel="nofollow">http://dl.acm.org/citation.cfm?id=2592802</a>

mapleoinover 10 years ago

Welcome to 2014 where cross-platform means "Ubuntu, CentOS and Mac OS X".

评论 #8529080 未加载

评论 #8529307 未加载

评论 #8532035 未加载

评论 #8529126 未加载

gtrubetskoyover 10 years ago

This is not exactly same, but similar in some ways to IBM's S/38, OS/400 or whatever they call it now... In this OS (and last I touched it was 15 years ago, so things may have changed) there were no "files" - everything was a database table, and that was the only way you could store anything and it was how you for the most part interoperated with the system, i.e. the OS was essentially a relational DB. <a href="http://en.wikipedia.org/wiki/IBM_i" rel="nofollow">http://en.wikipedia.org/wiki/IBM_i</a>

sanjover 10 years ago

This reminds of a old project to kill daemons with a shotgun: <a href="http://www.cs.unm.edu/~dlchao/flake/doom/" rel="nofollow">http://www.cs.unm.edu/~dlchao/flake/doom/</a>

评论 #8533410 未加载

pothiboover 10 years ago

This is quite cool. I'm installing it right now on my system.From the wiki, it says it will soon be available on homebrew as well.<a href="https://github.com/facebook/osquery/wiki/install-os-x" rel="nofollow">https://github.com/facebook/osquery/wiki/install-os-x</a>

评论 #8528880 未加载

tdicolaover 10 years ago

Are there instructions how to build it? I'm looking around the github page and don't see anything like what depedencies it needs, what infrastructure it uses (looks like CMake?), etc. It's cool to distribute it as a vagrant source, but I'd like to compile and run this on a Raspberry Pi which doesn't run Vagrant. Supplying some basic how to build instructions would really help.

评论 #8530471 未加载

sehropeover 10 years ago

This is pretty neat. I'm a big fan of SQL in general and being able to query system stats like this feels pretty natural to me.A long time back I created something similar to this atop Oracle[1]. It used a Java function calling out to system functions to get similar data sets (I/O usage, memory usage, etc). It was definitely a hack, but a really pleasant one to use.Be cool to see an foreign data wrapper for PostgreSQL[2] that exposes similar functionality. I'm guessing it'd be pretty easy to put together as you'd only need to expose the data sets themselves as set returning functions. PostgreSQL would handle the rest. Though I guess that would limit it's usefulness to servers that have PG already installed. Having it be separate like this let's you drop it on any server (looks like it's cross platform too!).[1]: I don't remember exactly when but I think 10g had just been released.[2]: <a href="http://www.postgresql.org/docs/9.3/static/postgres-fdw.html" rel="nofollow">http://www.postgresql.org/docs/9.3/static/postgres-fdw.html</a>

评论 #8529071 未加载

dougabugover 10 years ago

After a lost decade of misplaced vitriol directed at relational models and SQL, I'm personally heartened to see a trend back to human readable query languages over rpc as an interface, sensible representation of information in relational form suitable for ad hoc queries/discovery versus complex implementation-dependent deep hierarchy spaghetti.

thibautsover 10 years ago

That's a very good candidate for a postgres FDW ...<a href="https://wiki.postgresql.org/wiki/Foreign_data_wrappers" rel="nofollow">https://wiki.postgresql.org/wiki/Foreign_data_wrappers</a>

评论 #8532640 未加载

zobzuover 10 years ago

Google has GRR and Mozilla has MIG (<a href="http://mig.mozilla.org/" rel="nofollow">http://mig.mozilla.org/</a>)I think its interesting to see that MIG is in Go and thus cross platform "by default". It also seems to be more privacy-compliant.osquery's SQL is sexy however.That said I'm also wary of a single piece of software that basically give you control over absolutely everything (control everyones laptop, etc. silently and quickly. Thats the best rootkit ever. You wont even detect if its being compromised because its a trusted piece of the OS!)

评论 #8530944 未加载

Pxtlover 10 years ago

I just wish there were better relational languages than SQL for accessing/manipulating this stuff. Relational logic is great. SQL is... okay.

评论 #8529996 未加载

adlover 10 years ago

I build the .deb for Ubuntu 14.10 (downloaded the project, the Vagrant image, etc, the works. 1.1GB in total according to du -h)It's here if anyone wants to try it: osquery-0.0.1-trusty.amd64.deb (11 MB)<a href="https://drive.google.com/file/d/0B3ROVJqBXqYAOVNTTkhqQzNUa0k/view?usp=sharing" rel="nofollow">https://drive.google.com/file/d/0B3ROVJqBXqYAOVNTTkhqQzNUa0k...</a>

chacham15over 10 years ago

Is it possible to create triggers with this kind of emulated database? E.g. Insert a row into the notifications tablewhen free space drops below 10% or to use their example when SELECT name, path, pid FROM processes WHERE on_disk = 0 actually returns a row.

评论 #8530370 未加载

rdtscover 10 years ago

Any relationship or inspiration from BeOS's file system?<a href="http://en.wikipedia.org/wiki/Be_File_System" rel="nofollow">http://en.wikipedia.org/wiki/Be_File_System</a>I remember from back in the day that was one of the really cool feature of Be.

mongolover 10 years ago

Something similar using SQLite virtual tables and the proc filesystem <a href="https://github.com/claes/osql" rel="nofollow">https://github.com/claes/osql</a>

gdulliover 10 years ago

I'd like to try this out but is there a way to install it that's as simple as all of the other Linux software I've ever installed before, and doesn't require installing vagrant, installing virtualbox, downloading an ubuntu image, creating a whole VM (which failed) so I can then make a package I can install? I can usually try these things out without making a whole thing of it.

评论 #8529426 未加载

godisdadover 10 years ago

Nifty, but not incredibly novel. SQLite's VFSes have been around for some time, albeit in smaller breadth and scope. I think one thing this kind of glosses over is the notion of transactions, what if load/fs contents change between independent parts of your query, are they memoized, recomputed, etc?Having said all that I'm going to install it and try it out because it's new and shiny.

ameliusover 10 years ago

Wouldn't it be cool if there were a library that could build relational APIs for any problem (including an optimizing SQL compiler)...

eliover 10 years ago

Reminds me of LogParser, a funky Microsoft tool that let you run queries against log files, directories, the registry, etc. I think it was a skunkworks project. Apparently still exists: <a href="http://www.microsoft.com/en-us/download/details.aspx?id=24659" rel="nofollow">http://www.microsoft.com/en-us/download/details.aspx?id=2465...</a>

brianpgordonover 10 years ago

This is neat, but why is Facebook making it? I may be too used to working at startups, but it seems to me that "look Mom, SQL!" isn't nearly worth the cost of the engineer hours it must have taken to bring this project to maturity.I guess it does buy community goodwill to throw handfuls of money off the Facebook float...

评论 #8530346 未加载

评论 #8530337 未加载

评论 #8530604 未加载

gluczywoover 10 years ago

This is excellent idea. While I try to avoid unnecessary abstractions (yes, I'm looking at you docker), having a consistent cross-platform and familiar API for OS instrumentation seems like a big boon. At low complexity cost there is a chance to offload admin memory from idiosyncrasies of OS monitoring details.

annnndover 10 years ago

Looks nice! That said, SQL in this case is just a way to look at data. Given that most network devices (and printers and UPSs and ...) in existence use SNMP, it would be nice to have an (SQL?) engine which would query devices via SNMP in background... If I understand correctly, this solution is tied to servers only.

spo81rtyover 10 years ago

I wish something like this shipped with every version of linux just like WMI does on Windows. This is awesome to see.

karavelovover 10 years ago

There is something similar in aws. The main difference is that it is distributed and can query and aggregate across clusters of thousands machines. Also I think it is not built on sqlite but implements new db engine.

jacquesmover 10 years ago

Is this reading os datastructures synchronously or asynchronously?

stefanobaghinoover 10 years ago

Brilliant idea, this can easily expose metrics in interesting ways to a whole lot of people who happen to know SQL better than the /proc filesystem.

njxover 10 years ago

Where are the JDBC drivers?you could then deploy these frameworks on a bunch of servers and a external monitor can independently query via SQL "How u doing;"

mixedbitover 10 years ago

A system with SQL interface != a relational database

评论 #8529412 未加载

falcolasover 10 years ago

You know, this wouldn't be too hard to implement as a storage engine for MySQL... What an intriguing idea.

评论 #8528928 未加载

评论 #8529047 未加载

评论 #8528940 未加载

politicianover 10 years ago

Would've preferred to see the from-where-select style rather than the normal way of writing SQL.

elwellover 10 years ago

Great, so now we can have SQL Injection at the OS level./sarcasm/

pronover 10 years ago

Nice! Can we have a JDBC driver for this?

评论 #8529463 未加载

评论 #8530399 未加载

avifreedmanover 10 years ago

marpaia, Did you consider using OpenTSDB?At CloudHelix, we did a Postgres FDW to OpenTSDB, which gives a time dimension as well.That was an issue at Akamai - how to get historic as well as realtime with Akamai's Query system ([WARNING: PDF direct download] <a href="http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%2F%2Fwww.akamai.com%2Fdl%2Ftechnical_publications%2Flisa_2010.pdf&ei=1JVRVP6FJdj6oQT544GYBQ&usg=AFQjCNHZe0KJLDl4e8t3mY_-SnaC8umDwg&bvm=bv.78597519,d.cGU" rel="nofollow">http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd...</a>)Interesting stuff though! Maybe a FDW could connect Postgres to osquery, which could allow joining with local tables or other FDW-accessible data.The FDW approach to OpenTSDB looks like:select to_timestamp(atime::float), value, hstore(regexp_split_to_array(tags, ',')) as hs from chf_realtime where i_start_time >= now() - interval'1 min' and agg = 'sum' and metric = 'df.bytes.percentused' and tags = 'host=*,mount=/|/data|/ssd' ; to_timestamp | value | hs ------------------------+-------+--------------------------------------------------------- 2014-10-30 01:15:33+00 | 84 | "host"=>"XY4.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:16:33+00 | 84 | "host"=>"XY4.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:33+00 | 9 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:16:33+00 | 9 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:15:33+00 | 49 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:16:33+00 | 49 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:14:55+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:55+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:14:55+00 | 1 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:15:55+00 | 21 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:14:55+00 | 21 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:15:50+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:50+00 | 8 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:14:56+00 | 89 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:56+00 | 89 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:14:56+00 | 55 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:15:56+00 | 55 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" (17 rows)

评论 #8531002 未加载

peetleover 10 years ago

Hey? LINQ? What?

innguestover 10 years ago

The original wiki had much to say, over its many discussions, about TOP - table-oriented programming.Today we know via Category Theory that tables are Turing complete and are actually quite synonymous with CT itself.In other words, thinking of computation in terms of tables with rows and columns and relationships between tables is an interesting and promising (given CT) approach to computing that has been discussed in the past but then left largely unexplored.

评论 #8530464 未加载

rpm33over 10 years ago

This is amazing.Installing it right away

mapcarsover 10 years ago

Wow, these guys really should spent some time learning history and plan 9 specifically.I mean how do they think people will write and rewrite programs using sql when files are already here?

评论 #8532037 未加载