osquery free download for Mac


26 June 2020

Query your devices like a database.


Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

Processes running without a binary on disk

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

Three things you should know about osquery
  • It's fast and tested: Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.
  • It runs everywhere: Windows, macOS, CentOS, FreeBSD, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.
  • It's open source: Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.

What's new in osquery

Version 4.3.0:
New Features / Under the Hood improvements:
  • Change verbosity of scheduled query execution messages from INFO to verbose only (#6271)
  • Updated the unwanted-chrome-extensions queries to include all users, not the osquery process owner only (#6265)
  • Check for errors in the return status of the extension tables and report them (#6108)
  • First steps to properly support UTF8 strings on Windows (#6190)
  • Display the undelying API error string when udev monitoring fails (#6186)
  • Add the path column to the ATC generate specs (#6278)
  • Log a warning message if osquery fails to get the service description on Microsoft Windows (#6281)
  • Make AWS kinesis status logging configurable (#6135)
  • Add an integration test for the disk_info table (#6323)
  • Use -1 for missing ppid in the process_events table (#6339)
  • Remove error when converting empty numeric rows (#6371)
  • Change verbosity from ERROR to INFO of access failures to system processes on Microsoft Windows (#6370)
  • Make possible to get verbose messages from the dispatcher service management on Microsoft Windows too (#6369)
  • Fix codegen template for extension group (#6244)
  • Update SQLite from 3.30.1-1 to 3.31.1 (#6252)
  • Update the osquery-toolchain to version 1.1.0 which uses LLVM/Clang 9.0.1 (#6315)
  • Update openssl to version 1.1.1f (#6302, #6359)
  • Simplify formula-based third party libraries build (#6303)
  • Removed the Buck build system (#6361)
  • Add librdkafka to Windows build (#6095)
Bug Fixes:
  • Fix CFNumber conversion when the type was a Float64/32 instead of a Double (#6273)
  • Fix duplicate results being returned by the chrome_extensions table (#6277)
  • Fix flaky ProcessOpenFilesTest.test_sanity (#6185)
  • Fix the --database_dump flag for RocksDB not outputting anything (#6272)
  • Fix the pci_devices table pci ids extraction in non-existing paths (#6297)
  • Fix parsing an invalid decorators config (#6317)
  • Fix flaky TLSConfigTests.test_runner_and_scheduler (#6308)
  • Fix chromeExtensions.test_sanity (#6324)
  • Fix broken Unicode filename searches on Microsoft Windows (#6291)
  • Fix a use-after-free when sqlite attempts to access the entire rows data at the end of a query (#6328)
  • Keep proc instance for test_base and test_osqueryd (#6335)
  • Fix osquery not exiting when given check or dump requests (#6334)
  • Fix process table cmdline parsing (#6340)
  • Fix a crash when parsing files with libmagic (#6363)
  • Fix a sporadic readFile API failure when using non-blocking I/O (#6368)
  • Fix the MSI package not always installing in the system drive by default (#6379)
  • Ensure the extensions uuid is never 0 (#6377)
  • Fix a race condition making the watcher act as a worker on Microsoft Windows (#6372)
  • Fix extensions tables detaching which was sometimes failing (#6373)
  • Fix an issue with extensions re-registration (#6374)
  • Fix a crash due to a race condition in accessing the iokit port on Darwin (Apple OS X) (#6380)
  • Limit SQL functions regex_match and regex_split regex size (#6267)
  • Prevent a stack overflow when parsing deeply nested configs (#6325)
Table Changes:
  • Added table chrome_extension_content_scripts to All Platforms (#6140)
  • Added table docker_container_fs_changes to POSIX-compatible Plaforms (#6178)
  • Added table windows_security_center to Microsoft Windows (#6256)
  • Added many new tables to Linux to query lxd (#6249)
  • Added table screenlock to Darwin (Apple OS X) (#6243)
  • Added table userassist to Microsoft Windows (#5539)
  • Added column status (TEXT) to table deb_packages (#6341)
  • Added many new columns to the curl_certificate table (#6176)
  • Added table socket_events to Darwin (Apple OS X) (#6028)
  • Added table hvci_status, previously inadvertly left out from the build, to Microsoft Windows (6378)

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac offers from MacUpdate.

How would you rate osquery app?

0 Reviews of osquery