What operating systems does osquery support?

Apple OS X 10.9-10.12, Linux CentOS 6.6/7.0 and Ubuntu LTS (12.04/14.04/16.04) and Windows 8+. Every supported OS is integrated into the osquery CI build and test processes. Additional operating systems such as various Linux flavors are tested and supported by the osquery community.

What information does osquery provide?

osquery produces information in the form of tables and events. Tables are equivalent to SQL/SQLite tables except they generate data at query time. When you run select * from time ; the result will be the current time! Events are a bit more complicated but essentially log operating system events in real time so tables may emit the real time results when the next appropriate query runs.

How do I manage osquery?

Management can be simple and flexible. The osquery daemon uses a configuration input plugin and logging output plugin. By default both use a filesystem path. Read using osqueryd for an overview of configuration.

osquery can be controllable in real time through community-supported management services. These complimentary services and open source projects are documented in our configuration guide. And writing your own configuration input and results output is supported and encouraged.

Does osquery expose private information?

There are no explicit privilege escalation methods built into osquery. The osqueryi shell runs independently of the daemon. The results logged by the daemon will be private to the host unless a log aggregation approach is implemented by your enterprise.

The osquery community respects developer and user privacy! We include a "non-goal" of exposing sensitive information like browsing history within tables. The osquery tools include 0 callback requests and 0 auto-updating, auto-diagnostic capabilities.

Where is the osquery road map?

Feature requests and priority are managed through GitHub issues. Larger engineering/design efforts are tagged with "RFC".