What is osquery?
osquery is a tool that exposes an operating system as a high-performance relational database. It enables developers to write SQL-based queries that explore operating system data. With osquery, SQL tables can be created to help represent otherwise fairly abstract concepts, such as:
- Running processes
- Loaded kernel modules
- Open network connections
- Browser plugins
- Hardware events
- File hashes
How Does osquery Work?
Here are some examples of what you can do with osquery and why it’s such a useful utility. Some of the data below could not be retrieved without the tedious parsing of system files or, even worse, without employing dangerous system commands:
- List users
- Get the process name, port and PID for all processes
- List logged-in users
Examples
You can list most of the information in /etc/passwd using this simple query:
SELECT * FROM users;
References
https://www.netsparker.com/blog/web-security/osquery-injection/