Introspecting your machine with osquery

12 Clouds of Christmas 2024

Ian Littman / @ian@phpc.social / @ian.im / @iansltx

Slides at ian.im/12c24

osquery: query systems with SQL(ite)

installable via choco/brew/apt/yum

and lets you do stuff like check if Apple Intelligence is enabled on a computer

results as JSON, query log to disk

can also push externally over TLS with host identification

Can run scheduled over time with either the entire result or diffs

what can I do? Let's check (and demo!) the schema

• file
  • Requires a WHERE
  • LIKE % matches a single directory level
  • Use %% for recursive (it'll take longer!)
  • bonus: file integrity monitoring
  • extra bonus: file system events
• processes
• docker_* - make sure your docker socket is in the right place
• installed stuff
  • apps (macOS)
  • python_packages
  • deb_packages
  • rpm_packages
  • etc.
• curl