osquery free download for Mac


Version 5.0.1

Query your devices like a database.

osquery overview

Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

Processes running without a binary on disk

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

Three things you should know about osquery
  • It's fast and tested: Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.
  • It runs everywhere: Windows, macOS, CentOS, FreeBSD, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.
  • It's open source: Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.

What’s new in version 5.0.1

Updated on Dec 04 2021

Version 5.0.1:
  • We now install into /opt/osquery on macOS and Linux for better portability.
  • Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
  • We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
  • We now use an osquery-organization macOS code signing certificate.
There are several breaking changes:
  • Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
  • macOS codesigning is now done through the Osquery Foundation account.
  • If you manage macOS full disk permission through a profile, you will need to update it.
  • See docs
  • We removed the deprecated blacklist key from the configuration (#7153)
  • Search semantics on the augeas table have changed to be more performant, but do break the existing query API.
Table Changes:
  • Add secureboot table for Linux and Windows (#7202)
  • Add tpm_info for Windows (#7107)
  • Fix osquery_info build_platform column value on Linux (#7254)
  • Support pid_with_namespace in more tables (#7132)
  • Update augeas table to use native pattern matching (BREAKING) (#6982)
  • Update chrome_extensions to include Edge & EdgeBeta (#7170)
  • Update disk_encryption table to support QueryContext (#7209)
  • Update last to include utmp type name column (#7201)
  • Update sudoers table to support newer include syntax (#7185)
  • Update user_ssh_keys to detect encryption of ed25519 keys (#7168)
Under the Hood Improvements:
  • Add ruby namespace to the thrift definition (#7191)
  • Always initialize variable change in PerformanceChange (#7176)
  • Remove deprecated blacklist key (#7153)
  • Use total_size within watchdog on Windows (#7157)
  • Support AF_PACKET sockets reporting on Linux (#7282)
  • socket_events improvements in Linux audit system (#7269)
Bug Fixes:
  • Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
  • Add feature to skip denylist for event-based queries (#7158)
  • Change logger_mode flag to be correctly interpreted as an octal (#7273)
  • Do not let osquery create multiple copies of the extension running at once (#7178)
  • Fix Linux audit rule removal upon osquery exit (#7221)
  • Fix broadcasting empty logs to logger plugins (#7183)
  • Fix issues applying ACLs during chocolatey deployment (#7166)
  • Fix memory issue in Windows fileops (#7179)
  • Fix process_open_sockets type error on darwin (#6546)
  • Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
  • Prevent osquery from killing itself when the --force flag is used (#7295)
  • Prevent race condition between shutdown and worker or extension launch (#7204)
  • Add a security assurance case (#7048)
  • Bring the YARA wiki page up to date (#7172)
  • Spelling fixes (#7211, #7186)
  • Update uptime table description (#7270)
  • Update osquery installed artifacts paths in the documentation (#7286)
  • Add TimeoutStopSec to systemd service files (#7190)
  • Correct macOS installed app bundle path in osqueryctl and doc (#7289)
  • Create an macOS app bundle (#7263)
  • Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
  • Fix path in macOS launchd plist (#7288)
  • Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
  • Update Windows deployment icon to png (#7163)
  • Update install paths, and remove deprecated Facebook naming (#7210)
  • Update macOS build to include app bundle related files (#7184)
  • Update osquery installed artifacts default paths in code (#7285)
  • Update the installation path on Linux (#7271)
  • libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
  • libs: Enable and compile the YARA macho module on macOS (#7174)
  • libs: Update OpenSSL to version 1.1.1l (#7293)
  • libs: Update Strawberry Perl to, use HTTPS downloads (#7199)
  • libs: Update ebpfpub (#7173, #7219)




App requirements

    Try our new feature and write a detailed review about osquery. All reviews will be posted soon.
    Write your thoughts in our old-fashioned comment
    MacUpdate Comment Policy. We strongly recommend leaving comments, however comments with abusive words, bullying, personal attacks of any type will be moderated.
    (0 Reviews of )
    There are no reviews yet
    Help the community
    There are no reviews yet, be the first to leave one
    FreeAbsolutely Free
    How would you rate osquery?
    Similar apps
    Manage multiple databases from a single application.
    Is this app is similar to RazorSQL? Vote to improve the quality of this list.
    Vote results
    Total score
    Universal database query and editor tool.
    Is this app is similar to DtSQL? Vote to improve the quality of this list.
    Vote results
    Total score