1. 14
    1. 3

      Anyone actually running this? Curious to hear experiences and get details of the setup at scale

      1. 3

        Yeah it’s a real pleasure! I’d suggest Fleet (FleetDM).

        I’m using it via elastic-agent today but running into issues with the agent itself, not osquery.

        One important thing to note is that you cannot use one config for all OSes. There’s a few subtle differences for instance FIM between windows and Linux.

        Also check out File Carving for something almost completely undocumented and extremely interesting.

      2. 1

        Read about this on the orange site from one of yogthos’s comments. They also made a blog post and submitted it here. They may have some insights.

    2. 3

      Two bits of prior art:

      1. WBEM/WMI: Windows lets you use SQL(-like) constructs for querying system information.
      2. IBM i services (bigger list). i is already pretty RDBMS-focused; these provide a bunch of views and stored procedures to do administrative read and write queries. I suspect this grows in popularity because it might be easier than doing it via the traditional means (i.e. from other languages, for people not used to 5250 interface, etc.).
      1. 3

        WMI is something I mention often when talking about administrating Windows boxes with Unix geeks. It is absolutely not perfect, but it made gathering fleet-wide data a breeze. It’s really neat to see that idea translated into the Linux world.

    3. 2

      We used this in our test suite at an old job of mine. We were building a virtual appliance, and then we would fire up a copy of it and our tests would probe it in different ways to make sure the appliance was sane. It was a big win for test readability and durability whenever we could switch a test to using osquery instead of parsing shell command output - initially we just converted a couple tests but ifconfig changing its output format motivated us to convert loads more.

    4. 1

      Has anyone ever heard of something like this - SQL for the OS, but run against a sos report[1]?

      I always seem to be using the awk/grep/etc… to explore things ad-hoc.

      I did find jc[2] + sqlite-utils[3] to be interesting, but seemed a waste to not leverage all the table definitions from OSQuery.

      [1] https://github.com/sosreport/sos [2] https://kellyjonbrazil.github.io/jc/ [3] https://sqlite-utils.datasette.io/en/stable/

    5. 1

      Yep! Using a system built around the ‘doorman’ server to satisfy myriad security and compliance needs. It is quite unremarkable yet effective enough.