osquery free download for Mac


14 September 2020

Query your devices like a database.


Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

Processes running without a binary on disk

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

Three things you should know about osquery
  • It's fast and tested: Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.
  • It runs everywhere: Windows, macOS, CentOS, FreeBSD, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.
  • It's open source: Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.

What's new in osquery

Version 4.4.0:
New Features / Under the Hood improvements:
  • Implement container access from tables on Linux
  • Update language to use 'allow list' and 'deny list'
  • macos: Automatic configuration of the OpenBSM audit rules
  • macos: Add polling to OpenBSM publisher
  • Add messages to distributed query results
  • Implement event batching support for Windows tables
Table Changes:
  • Add container access to the os_version table
  • Add container access to DEB, RPM, NPM packages tables
  • Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables
  • Improve apt_sources resiliency
  • Make file and hash container columns hidden
  • Add 'maintainer', 'section', 'priority' columns to deb_packages
  • Add 'vendor', 'package_group' columns to rpm_packages
  • Add 'arch' column to os_version
  • Add 'board_xxx' columns to system_info table
  • Windows: omit non-interactive sessions from logged_in_users
  • Fixes to package_bom table
  • Add chassis_info table for windows
  • Add Azure tables
Bug Fixes:
  • Update hash cache inode number in query cache
  • Only explode registry key if it can be tokenized
  • Change ErrorBase::takeUnderlyingError to non const
  • Use RapidJSON to fix event format results and the Kafka Logger
  • Correct the 'cwd' and 'root' columns of processes table on Windows
  • Correct some SQLite types
  • Partial fix for md_devices issue
  • Fix the handling of empty args strings, on Windows
  • Refactor shutdown logging, and remove explicit syslog call
  • Change the Windows registry LIKE path constraint to filter recursively
  • Use sync resolve within http client
  • Fix typed_row table caching
  • Do not use system proxy for AWS local authority
  • Only populate table cache with star-like selects
  • Update osquery security policy
  • Updating changelog for 4.3.0 release
  • Improve the new table tutorial
  • Add Auto Table Construction to docs
  • Add documentation for enabling socket_events on macOS
  • Update winbaseobj table description
  • Fixing the description of failed_login_count from account_policy_data
  • Remove references to brew in macOS install
  • Add note to bump the Homebrew cask
  • Updating docs on cpack usage to include Chocolatey
  • Changelog for 4.4.0
  • Fix Userassist.test_sanity test sometimes failing
  • Drop the facebook and source_migration layers
  • Move ssdeep-cpp to source_migration
  • Move smartmontools to source_migration
  • Build augeas from source on macOS
  • Build lldpd from source on macOS
  • Build linenoise-ng from source on macOS and Windows
  • Build sleuthkit from source on macOS
  • Build popt from source on macOS
  • Fix libelfin build on ossfuzz and LLVM/Clang 10
  • Use the patched libelfin version
  • codegen: Port Jinja2 to Templite
  • Pass the minimum macOS SDK version to openssl only if explicitly set
  • Add git-lfs as dep for macOS build in documentation
  • Update openssl from 1.1.1f to 1.1.1g
  • Build openssl with the macOS SDK version taken from CMake
  • Do not install openssl docs
  • Update build configuration of ReadTheDocs
  • Link librdkafka on Windows
  • Build sleuthkit on Windows
  • Add nupkg cpack build option and update Windows deployment script
  • Fix rpm and deb package name format
  • Fix atom_packages, processes, rpm_packages tests
  • Fixes and cleanup for Windows compiler flags
  • Correct macOS framework linking
Security issues:
  • Disable openssl compression support
  • Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac offers from MacUpdate.

How would you rate osquery app?

0 Reviews of osquery