osquery
Free
Absolutely Free
osquery overview
osquery uses basic SQL commands to leverage a relational data-model to describe a device.
Processes running without a binary on disk
Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.
Three things you should know about osquery
- It's fast and tested: Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.
- It runs everywhere: Windows, macOS, CentOS, FreeBSD, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.
- It's open source: Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.
What’s new in version 5.10.2
Updated on Nov 23 2023
New Features
- Add --enable_watchdog_debug flag and improve watchdog error messages (#8070)
- Add --aws_enforce_fips to enforce AWS FIPS endpoints (#8075)
- Add new AWS valid regions (#8110)
- Implement decorations_top_level flag for status logs (#8102)
Table Changes
- Add new macOS SIP config flags (#8101)
- Added cloud_id to ycloud_instance_metadata - the vm metadata table for Yandex Cloud (#8086)
- Allow querying of kernel and filesystem drivers (#8119)
- Update es_process_file_events adding support for open events, and for only triggering on file_paths (#8114)
- Update firefox_addons to use rapidjson to parse and don't block on read (#8089)
- Update macOS es_process_events table: quote spaces in command line and environment variables (#8054)
- Update linux disk_encryption to recursively query parent crypt status (#8052)
- Add, and revert, indexing on block_devices (#8037, #8151)
Under the Hood improvements
- Add warnings when an enrollment secret cannot be found (#8082)
- Avoid blocking when reading plist files (#8099)
- Fix named virtual table create statement (#8139)
- Remove forensicReadFile (#8085)
- Substitute the TEXT macro with SQL_TEXT in table code (#8091)
- Use JSON member iterator instead of rescanning (#8122)
- core: Avoid checking if a file exists before opening (#8087)
- improvement: Avoid unnecessary string conversions (#8093)
- watchdog: Use virtual cores to calculate CPU utilization limit (#8104)
Bug Fixes
- Always lock event_index_mutex when accessing event_index map (#8077)
- Check audit return values with <= (#8125)
- Fix wifi_survey table not to crash if the ssid cannot be retrieved (#8153)
- Fix macOS EndpointSecurity FIM mute inversion for file paths (#8166)
Documentation
- Add a list of Osquery fleet managers (#7781)
- Add basic file carving documentation (#8118)
- Changelog for 5.9.1 (#8088)
- Changelog 5.10.1 (#8155)
- Fixed small doc error (#8147)
- Update Automatic Table Construction example (#8094)
- Update XCode version mentions to the proper one (#8128)
- Update the description of serial_number in connected_displays (#8113)
Build
- Fix openssl build arch for Windows ARM64 (#8134)
- Fix python test http server use SSLContext.wrap_socket() instead of deprecated ssl.wrap_socket() (#8169)
- GitHub Action to cleanup at stale ec2 runners (#8156)
- Ignore CVE-2023-30571 (#8065)
- Missing pragma/header guard for boottime.h (#8117)
- Permit cross compiling for x86_64 on Apple Silicon (#8136)
- build: update macos hosted github runner to macos-12 monterey (#8100)
- ci: Fix DistributedTests.test_run_queries_with_denylisted_query test (#8154)
- ci: Increase aarch64 available space by splitting the build (#8131)
- ci: Increase disk space on the Linux x86_64 runner (#8133)
- ci: Remove flakyness when removing unused packages on Linux (#8144)
- cve: Fix the expat product name in the libraries manifest (#8158)
- cve: Ignore dbus CVE-2023-34969 (#8126)
- cve: Ignore libcap CVE-2023-2603 (#8127)
- cve: Update expat to version 2.5.0 (#8159)
- cve: Update libmagic to 5.45 (#8142)
- cve: Update lzma to 5.4.4 (#8135)
- cve: Update openssl to 3.1.3 (#8141)
- libs: Fix openssl build on aarch64 (#8084)
- libs: Update openssl to 3.1.1 (#8081)
- libs: Update openssl to 3.1.2 (#8124)
- test: Fix leaks in inotify and rocksdb tests (#8080)
Information
App requirements
- Intel 64
- Apple Silicon
- OS X 10.9 or later
Try our new feature and write a detailed review about osquery. All reviews will be posted soon.
(0 Reviews of )
There are no reviews yet
Comments
User Ratings
May 3 2023
Version: 5.8.2
I finally found a use for OSQUERY. Or perhaps I should say, found a product that uses it: Vanta.
Vanta is a SOC 2 compliance tool that once installed on a workstation, monitors for "un-binaried" processes (processes for which there isn't an app; malware) and other items that may raises suspicions. Vanta is effectively spyware, so I'd only put it on company-provided hardware, and there isn't (to my knowledge) any end-user purpose. Still, OSQUERY is the basis for how Vanta works. There may be some applicability for geeky types who wish to dig into the innards of their macOS.
Help the community
There are no ratings yet, be the first to leave one
Free
Absolutely Free
Similar apps
RazorSQL
Manage multiple databases from a single application.
Is this app is similar to RazorSQL? Vote to improve the quality of this list.
Vote results
1
Upvotes
1
Total score
0
Downvotes
DtSQL
Universal database query and editor tool.
Is this app is similar to DtSQL? Vote to improve the quality of this list.
Vote results
1
Upvotes
1
Total score
0
Downvotes
New and Recently Updated