Osquery: Expose the operating system as a relational database

533 点作者 jamesgpearce超过 10 年前

42 条评论

ibdknox超过 10 年前

This is really interesting and very cool to see. The approach we're taking with Eve (gory details at [1]) is that you can treat everything as relational and doing so provides lots of benefits. One thing that wasn't clear though, was how you extend that notion down into the OS-level for both performance and semantic reasons. It's encouraging to see someone with requirements as deep as facebook's find that this strategy works in that context.The next step would be manipulating the OS as relations. E.g. an insert into the process table allows you to actually spawn a process. It would start to get really interesting from there...[1]: <a href="http://incidentalcomplexity.com/2014/10/16/retrospective/" rel="nofollow">http://incidentalcomplexity.com/2014/10/16/retrospective/</a>

评论 #8528976 未加载

评论 #8529285 未加载

评论 #8529583 未加载

评论 #8531550 未加载

zwischenzug超过 10 年前

Available as a docker image:<pre><code> docker run -t -i imiell/osquery /bin/bash root@81fbc2076e1c/# osqueryi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. osquery> select * from processes; +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ | name | path | cmdline | pid | on_disk | wired_size | resident_size | phys_footprint | user_time | system_time | start_time | parent | +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ | bash | | /bin/bash | 1 | -1 | | 1764 | 18276 | 17 | 18 | 95476444 | 0 | | osqueryi | /usr/local/bin/osqueryi | osqueryi | 19380 | 1 | | 4312 | 110652 | 225 | 327 | 96321589 | 1 | +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+ osquery></code></pre>

评论 #8530664 未加载

评论 #8530581 未加载

MrBuddyCasino超过 10 年前

Cool, so basically it brings something like WQL to nix, because this is something that exists in Windows already:<pre><code> SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 2097152</code></pre>

评论 #8528698 未加载

评论 #8529252 未加载

peterwwillis超过 10 年前

It's hard for me to grok this project's design goals. I mean, the basic idea is simple enough to understand: I want to run SQL queries on metadata about my hosts. I've built and run several different iterations of that same idea, but they didn't require thousands of lines of C++.The usual implementation is simple: take any host monitor (say, collectd) that can export key/value pairs from a host, or take a log stream over the network and pair it with a host monitor/log scraper to create key/value pairs. Then insert into an SQL engine while appending to a log for a historical record (or PTA/PITR/whatever, i'm not a DBA). Separately you can create a database application to query/modify the database as needed.But we're talking like, a handful of python scripts that don't ever change except to add new search features. This seems like a big departure from the simplicity of that approach. Am I missing something?

评论 #8530250 未加载

gooseyard超过 10 年前

Akamai has been using a system like this since 1999 or so, nicely documented in this presentation to LISA some years ago:<a href="http://www.akamai.com/dl/technical_publications/lisa_2010.pdf" rel="nofollow">http://www.akamai.com/dl/technical_publications/lisa_2010.pd...</a>

asb超过 10 年前

There was a paper at EuroSys this year "Relational access to Unix kernel data structures" which seems to attempt to offer similar functionality. A comparison between the two would be interesting.HTML version of the paper here: <a href="http://www.dmst.aueb.gr/dds/pubs/conf/2014-EuroSys-PicoQL-kernel/html/FSLB14.html" rel="nofollow">http://www.dmst.aueb.gr/dds/pubs/conf/2014-EuroSys-PicoQL-ke...</a> Paywalled version: <a href="http://dl.acm.org/citation.cfm?id=2592802" rel="nofollow">http://dl.acm.org/citation.cfm?id=2592802</a>

mapleoin超过 10 年前

Welcome to 2014 where cross-platform means "Ubuntu, CentOS and Mac OS X".

评论 #8529080 未加载

评论 #8529307 未加载

评论 #8532035 未加载

评论 #8529126 未加载

gtrubetskoy超过 10 年前

This is not exactly same, but similar in some ways to IBM's S/38, OS/400 or whatever they call it now... In this OS (and last I touched it was 15 years ago, so things may have changed) there were no "files" - everything was a database table, and that was the only way you could store anything and it was how you for the most part interoperated with the system, i.e. the OS was essentially a relational DB. <a href="http://en.wikipedia.org/wiki/IBM_i" rel="nofollow">http://en.wikipedia.org/wiki/IBM_i</a>

sanj超过 10 年前

This reminds of a old project to kill daemons with a shotgun: <a href="http://www.cs.unm.edu/~dlchao/flake/doom/" rel="nofollow">http://www.cs.unm.edu/~dlchao/flake/doom/</a>

评论 #8533410 未加载

pothibo超过 10 年前

This is quite cool. I'm installing it right now on my system.From the wiki, it says it will soon be available on homebrew as well.<a href="https://github.com/facebook/osquery/wiki/install-os-x" rel="nofollow">https://github.com/facebook/osquery/wiki/install-os-x</a>

评论 #8528880 未加载

tdicola超过 10 年前

Are there instructions how to build it? I'm looking around the github page and don't see anything like what depedencies it needs, what infrastructure it uses (looks like CMake?), etc. It's cool to distribute it as a vagrant source, but I'd like to compile and run this on a Raspberry Pi which doesn't run Vagrant. Supplying some basic how to build instructions would really help.

评论 #8530471 未加载

sehrope超过 10 年前

This is pretty neat. I'm a big fan of SQL in general and being able to query system stats like this feels pretty natural to me.A long time back I created something similar to this atop Oracle[1]. It used a Java function calling out to system functions to get similar data sets (I/O usage, memory usage, etc). It was definitely a hack, but a really pleasant one to use.Be cool to see an foreign data wrapper for PostgreSQL[2] that exposes similar functionality. I'm guessing it'd be pretty easy to put together as you'd only need to expose the data sets themselves as set returning functions. PostgreSQL would handle the rest. Though I guess that would limit it's usefulness to servers that have PG already installed. Having it be separate like this let's you drop it on any server (looks like it's cross platform too!).[1]: I don't remember exactly when but I think 10g had just been released.[2]: <a href="http://www.postgresql.org/docs/9.3/static/postgres-fdw.html" rel="nofollow">http://www.postgresql.org/docs/9.3/static/postgres-fdw.html</a>

评论 #8529071 未加载

dougabug超过 10 年前

After a lost decade of misplaced vitriol directed at relational models and SQL, I'm personally heartened to see a trend back to human readable query languages over rpc as an interface, sensible representation of information in relational form suitable for ad hoc queries/discovery versus complex implementation-dependent deep hierarchy spaghetti.

thibauts超过 10 年前

That's a very good candidate for a postgres FDW ...<a href="https://wiki.postgresql.org/wiki/Foreign_data_wrappers" rel="nofollow">https://wiki.postgresql.org/wiki/Foreign_data_wrappers</a>

评论 #8532640 未加载

zobzu超过 10 年前

Google has GRR and Mozilla has MIG (<a href="http://mig.mozilla.org/" rel="nofollow">http://mig.mozilla.org/</a>)I think its interesting to see that MIG is in Go and thus cross platform "by default". It also seems to be more privacy-compliant.osquery's SQL is sexy however.That said I'm also wary of a single piece of software that basically give you control over absolutely everything (control everyones laptop, etc. silently and quickly. Thats the best rootkit ever. You wont even detect if its being compromised because its a trusted piece of the OS!)

评论 #8530944 未加载

Pxtl超过 10 年前

I just wish there were better relational languages than SQL for accessing/manipulating this stuff. Relational logic is great. SQL is... okay.

评论 #8529996 未加载

adl超过 10 年前

I build the .deb for Ubuntu 14.10 (downloaded the project, the Vagrant image, etc, the works. 1.1GB in total according to du -h)It's here if anyone wants to try it: osquery-0.0.1-trusty.amd64.deb (11 MB)<a href="https://drive.google.com/file/d/0B3ROVJqBXqYAOVNTTkhqQzNUa0k/view?usp=sharing" rel="nofollow">https://drive.google.com/file/d/0B3ROVJqBXqYAOVNTTkhqQzNUa0k...</a>

chacham15超过 10 年前

Is it possible to create triggers with this kind of emulated database? E.g. Insert a row into the notifications tablewhen free space drops below 10% or to use their example when SELECT name, path, pid FROM processes WHERE on_disk = 0 actually returns a row.

评论 #8530370 未加载

rdtsc超过 10 年前

Any relationship or inspiration from BeOS's file system?<a href="http://en.wikipedia.org/wiki/Be_File_System" rel="nofollow">http://en.wikipedia.org/wiki/Be_File_System</a>I remember from back in the day that was one of the really cool feature of Be.

mongol超过 10 年前

Something similar using SQLite virtual tables and the proc filesystem <a href="https://github.com/claes/osql" rel="nofollow">https://github.com/claes/osql</a>

gdulli超过 10 年前

I'd like to try this out but is there a way to install it that's as simple as all of the other Linux software I've ever installed before, and doesn't require installing vagrant, installing virtualbox, downloading an ubuntu image, creating a whole VM (which failed) so I can then make a package I can install? I can usually try these things out without making a whole thing of it.

评论 #8529426 未加载

godisdad超过 10 年前

Nifty, but not incredibly novel. SQLite's VFSes have been around for some time, albeit in smaller breadth and scope. I think one thing this kind of glosses over is the notion of transactions, what if load/fs contents change between independent parts of your query, are they memoized, recomputed, etc?Having said all that I'm going to install it and try it out because it's new and shiny.

amelius超过 10 年前

Wouldn't it be cool if there were a library that could build relational APIs for any problem (including an optimizing SQL compiler)...

eli超过 10 年前

Reminds me of LogParser, a funky Microsoft tool that let you run queries against log files, directories, the registry, etc. I think it was a skunkworks project. Apparently still exists: <a href="http://www.microsoft.com/en-us/download/details.aspx?id=24659" rel="nofollow">http://www.microsoft.com/en-us/download/details.aspx?id=2465...</a>

brianpgordon超过 10 年前

This is neat, but why is Facebook making it? I may be too used to working at startups, but it seems to me that "look Mom, SQL!" isn't nearly worth the cost of the engineer hours it must have taken to bring this project to maturity.I guess it does buy community goodwill to throw handfuls of money off the Facebook float...

评论 #8530346 未加载

评论 #8530337 未加载

评论 #8530604 未加载

gluczywo超过 10 年前

This is excellent idea. While I try to avoid unnecessary abstractions (yes, I'm looking at you docker), having a consistent cross-platform and familiar API for OS instrumentation seems like a big boon. At low complexity cost there is a chance to offload admin memory from idiosyncrasies of OS monitoring details.

annnnd超过 10 年前

Looks nice! That said, SQL in this case is just a way to look at data. Given that most network devices (and printers and UPSs and ...) in existence use SNMP, it would be nice to have an (SQL?) engine which would query devices via SNMP in background... If I understand correctly, this solution is tied to servers only.

spo81rty超过 10 年前

I wish something like this shipped with every version of linux just like WMI does on Windows. This is awesome to see.

karavelov超过 10 年前

There is something similar in aws. The main difference is that it is distributed and can query and aggregate across clusters of thousands machines. Also I think it is not built on sqlite but implements new db engine.

jacquesm超过 10 年前

Is this reading os datastructures synchronously or asynchronously?

stefanobaghino超过 10 年前

Brilliant idea, this can easily expose metrics in interesting ways to a whole lot of people who happen to know SQL better than the /proc filesystem.

njx超过 10 年前

Where are the JDBC drivers?you could then deploy these frameworks on a bunch of servers and a external monitor can independently query via SQL "How u doing;"

mixedbit超过 10 年前

A system with SQL interface != a relational database

评论 #8529412 未加载

falcolas超过 10 年前

You know, this wouldn't be too hard to implement as a storage engine for MySQL... What an intriguing idea.

评论 #8528928 未加载

评论 #8529047 未加载

评论 #8528940 未加载

politician超过 10 年前

Would've preferred to see the from-where-select style rather than the normal way of writing SQL.

elwell超过 10 年前

Great, so now we can have SQL Injection at the OS level./sarcasm/

pron超过 10 年前

Nice! Can we have a JDBC driver for this?

评论 #8529463 未加载

评论 #8530399 未加载

avifreedman超过 10 年前

marpaia, Did you consider using OpenTSDB?At CloudHelix, we did a Postgres FDW to OpenTSDB, which gives a time dimension as well.That was an issue at Akamai - how to get historic as well as realtime with Akamai's Query system ([WARNING: PDF direct download] <a href="http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%2F%2Fwww.akamai.com%2Fdl%2Ftechnical_publications%2Flisa_2010.pdf&ei=1JVRVP6FJdj6oQT544GYBQ&usg=AFQjCNHZe0KJLDl4e8t3mY_-SnaC8umDwg&bvm=bv.78597519,d.cGU" rel="nofollow">http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd...</a>)Interesting stuff though! Maybe a FDW could connect Postgres to osquery, which could allow joining with local tables or other FDW-accessible data.The FDW approach to OpenTSDB looks like:select to_timestamp(atime::float), value, hstore(regexp_split_to_array(tags, ',')) as hs from chf_realtime where i_start_time >= now() - interval'1 min' and agg = 'sum' and metric = 'df.bytes.percentused' and tags = 'host=*,mount=/|/data|/ssd' ; to_timestamp | value | hs ------------------------+-------+--------------------------------------------------------- 2014-10-30 01:15:33+00 | 84 | "host"=>"XY4.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:16:33+00 | 84 | "host"=>"XY4.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:33+00 | 9 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:16:33+00 | 9 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:15:33+00 | 49 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:16:33+00 | 49 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:14:55+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:55+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:14:55+00 | 1 | "host"=>"XY.iad1", "mount"=>"/data", "fstype"=>"btrfs" 2014-10-30 01:15:55+00 | 21 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:14:55+00 | 21 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:15:50+00 | 63 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:50+00 | 8 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"btrfs" 2014-10-30 01:14:56+00 | 89 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:15:56+00 | 89 | "host"=>"XY.iad1", "mount"=>"/", "fstype"=>"xfs" 2014-10-30 01:14:56+00 | 55 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" 2014-10-30 01:15:56+00 | 55 | "host"=>"XY.iad1", "mount"=>"/ssd", "fstype"=>"xfs" (17 rows)

评论 #8531002 未加载

peetle超过 10 年前

Hey? LINQ? What?

innguest超过 10 年前

The original wiki had much to say, over its many discussions, about TOP - table-oriented programming.Today we know via Category Theory that tables are Turing complete and are actually quite synonymous with CT itself.In other words, thinking of computation in terms of tables with rows and columns and relationships between tables is an interesting and promising (given CT) approach to computing that has been discussed in the past but then left largely unexplored.

评论 #8530464 未加载

rpm33超过 10 年前

This is amazing.Installing it right away

mapcars超过 10 年前

Wow, these guys really should spent some time learning history and plan 9 specifically.I mean how do they think people will write and rewrite programs using sql when files are already here?

评论 #8532037 未加载