Skills2026年4月23日·1 分钟阅读

osquery — SQL-Powered Operating System Instrumentation

osquery exposes your operating system as a relational database, letting you write SQL queries to explore OS data like running processes, loaded kernel modules, open network connections, and installed packages.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
osquery Overview
直接安装命令
npx -y tokrepo@latest install 607b6fb1-3f30-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

osquery, originally created at Facebook, turns your operating system into a relational database. Instead of learning dozens of OS-specific commands, you write standard SQL to ask questions about system state—processes, users, network connections, file integrity, and more.

What osquery Does

  • Exposes OS internals (processes, files, users, hardware) as virtual SQL tables
  • Provides an interactive shell (osqueryi) for ad-hoc investigation
  • Runs a daemon (osqueryd) that executes scheduled queries and logs results
  • Supports macOS, Linux, Windows, and FreeBSD with platform-specific tables
  • Enables fleet-wide security monitoring and compliance auditing

Architecture Overview

osquery embeds a SQLite-based virtual table engine. Each "table" is backed by a C++ plugin that reads live OS data on demand. The daemon reads a configuration file defining scheduled queries, runs them at set intervals, writes differential results to structured JSON logs, and optionally forwards them to a TLS server for centralized collection.

Self-Hosting & Configuration

  • Configuration lives in /etc/osquery/osquery.conf (JSON format)
  • Flag files at /etc/osquery/osquery.flags set daemon behavior
  • Query packs group related scheduled queries (e.g., incident-response, compliance)
  • Logging outputs include filesystem, TLS endpoint, AWS Kinesis, and Kafka
  • Fleet management options include osquery Fleet Manager and Kolide

Key Features

  • Over 200 built-in virtual tables across supported platforms
  • Differential logging captures only changed rows between query runs
  • File integrity monitoring (FIM) via the file_events table
  • Extensions SDK allows custom tables in C++, Python, or Go
  • Watchdog process guards against runaway queries consuming too many resources

Comparison with Similar Tools

  • Wazuh — full SIEM with HIDS; osquery focuses on SQL-based host querying
  • OSSEC — agent-based intrusion detection; less flexible ad-hoc investigation
  • Sysdig — container and system call visibility; osquery covers broader OS tables
  • Auditd — Linux audit framework; osquery wraps audit data into queryable tables
  • Velociraptor — DFIR-focused agent with its own query language (VQL)

FAQ

Q: Does osquery modify the system it runs on? A: No. osquery is read-only by design. It queries OS state without altering files, processes, or configurations.

Q: How much CPU and memory does the daemon use? A: The watchdog enforces configurable limits (default 12% CPU, 200 MB RAM). Queries exceeding limits are killed automatically.

Q: Can I query Docker containers? A: Yes. The docker_containers, docker_images, and related tables expose container metadata on hosts running Docker.

Q: What log format does osqueryd produce? A: JSON by default, with each scheduled query result stored as a structured event including added/removed rows.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产