osquery.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR. 它属于网络安全的 防御与运营 分类。

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR.

osquery is an open-source agent that turns operating-system state into a SQL interface. Originally developed at Facebook and released in 2014, now under the Linux Foundation, it runs on macOS, Linux, Windows, and FreeBSD and exposes hundreds of tables — `processes`, `listening_ports`, `users`, `crontab`, `kernel_extensions`, `firefox_addons`, `chrome_extensions`, `dns_resolvers`, and many more — that a defender can query with familiar SELECTs. osquery can be run interactively (`osqueryi`) or as a daemon (`osqueryd`) that streams the results of scheduled queries to a fleet manager such as Fleet, Kolide, Zentral, or commercial XDRs. Use cases include asset inventory, compliance reporting (CIS Benchmark checks via SQL), threat hunting (e.g. 'show me all processes whose binary path is in a temp directory'), incident response (rapid fleet-wide IOC search), and configuration drift detection. Because the agent does not ship its own detections — only data — osquery is often paired with a separate detection layer (ELK, Sigma, EDR) or with a managed offering. It remains one of the most widely used open-source endpoint visibility tools.

针对 osquery 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: osqueryd, osqueryi。