How to use OSQuery
How to setup OSQuery
Analyze your server
osquery is an operating system instrumentation framework for collecting information from operating systems, hypervisors and applications. It is often used to collect information for security forensics, application performance management and compliance auditing. osquery supports multiple platforms including Windows, Linux and macOS.
The osquery toolset provides a SQL-based interface for querying operating system data. This allows complex queries to be constructed within a familiar environment that is both robust and secure. A query may consist of individual or aggregated components that are composed together with AND / OR operators to form a complete query. This provides the flexibility that is unique to SQL-based interfaces and allows users to define a flexible query workflow.
It is a project that aims to make operating systems more transparent. It does this by collecting information from the operating system and making it available to clients (the osquery client, shipped as part of osqueryd), which can then be queried using a SQL-like query language.
A lot of command-line tools such as ps, lsof, netstat or ss are available on every Linux distribution and allow you to query the operating system. However, these tools often require particular privilege to run (typically root) and have a narrow scope. No privilege escalation is involved in using the OSQuery command line tool.
In this course you will learn how to use OSQuery to find information about your computers and servers. It is a beginners course and no prior knowledge is required, not even about SQL. If you are a sysadmin, developer, security researcher then this course is for you.