Oh, ALL RIGHT, says Facebook, we'll let Windows admins run osquery

SELECT * from users where too_stupid_to_live=”YES”

Two years after it first arrives for Linux and OS X, Facebook's "osquery" developer kit is now available for Windows.

Osquery is designed to let sysadmins check out system and process information by issuing SQL queries, rather than (for example) having to watch syslogs.

An example (drawn from the GitHub repo) is the kind of trojan that deletes the executable from disk while it's running. In osquery, the following query identifies the process:

SELECT * FROM processes WHERE on_disk = 0;

Announcing osquery's extension to Windows, Facebook's Nick Anderson writes: “With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. Having timely, reliable visibility into operations running throughout your network is critical to quickly identify and investigate anomalies.”

Anderson gives malicious browser extensions as another example: an SQL query to osquery is an easy way to identify all the browser extensions running on Facebook's enterprise networks – including malicious ones.

Other goodies in osquery include:

  • File integrity monitoring – The osquery daemon tracks operating system events to expose in tables like file_events and yara_events.
  • Process and socket auditing – to monitor things like disk mounts, network reconfigurations, hardware attach/detach, and process start.

Documentation for osquery for Windows is here. ®


Biting the hand that feeds IT © 1998–2017