Osquery is an open source operating system instrumentation framework for Windows, macOS, Linux, and FreeBSD by Facebook. This tool allows users to query the state of their system via a SQL interface.
With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. These queries can be:
- performed on an ad-hoc basis to explore operating system state using the osqueryi shell
- executed via a scheduler to monitor operating system state across a set of hosts
- launched from custom applications using osquery Thrift APIs