Daily Read: Operating System Query (osquery) utility

What is osquery?

osquery is a tool that exposes an operating system as a high-performance relational database. It enables developers to write SQL-based queries that explore operating system data. With osquery, SQL tables can be created to help represent otherwise fairly abstract concepts, such as:

  • Running processes
  • Loaded kernel modules
  • Open network connections
  • Browser plugins
  • Hardware events
  • File hashes

How Does osquery Work?

Here are some examples of what you can do with osquery and why it’s such a useful utility. Some of the data below could not be retrieved without the tedious parsing of system files or, even worse, without employing dangerous system commands:

  • List users
  • Get the process name, port and PID for all processes
  • List logged-in users


You can list most of the information in /etc/passwd using this simple query:

SELECT * FROM users;




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.