Facebook’s osquery Now Available for Windows

Two years after its first version, osquery gets Windows port. Facebook’s insanely popular osquery project is now available for Windows after it was launched in 2014 with support for only Mac OS X, Ubuntu, and CentOS.

If you’re not familiar with the project, osquery is a tool loved by sysadmins, network admins, and security engineers alike.


osquery allows developers to query the underlying operating system using an easy-to-read and easy-to-learn SQL-like language. osquery code looks something like this:

SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid;
SELECT * FROM kernel_extensions WHERE name NOT LIKE ‘com.apple.%’ AND name != ‘__kernel__’;
SELECT name, path, bundle_version, applescript_enabled FROM apps ;
SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid;

There’s a tangible benefit from working with osquery, rather than working with low-level C APIs.

osquery organizes OS data as SQL-like tables

osquery, which basically organizes operating system data as SQL tables, has been deployed in networking monitoring systems all over the world, at data centers, and in private enterprise networks.

The toolkit allows developers to write monitoring rules and then keep an eye on activity levels. If something goes terribly wrong, the sysadmin is notified. This is true for both technical defects, but also for malicious intrusions.

If you still fail to see how osquery is useful, Facebook’s Nick Anderson explains how the company deploys it on its internal network.

  osquery allows our Facebook security team to fetch data about all browser extensions running on our corporate network. We then compare that information to threat intelligence data to quickly identify malicious extensions and remove them.  

osquery is GitHub’s most popular security-related project

Based on GitHub statistics, osquery was the most popular security-related repo on the site. Now with Windows support, its adoption and popularity are bound to go through the roof.

Besides Windows, Mac OS X, Ubuntu, and CentOS, Facebook also added support in the past two years for RHEL, Debian, and FreeBSD. Facebook has hired security software firm Trail of Bites to help port osquery for Windows.

(Visited 77 times, 1 visits today)