Users ON processes.uid=users.uid SELECT pid,name,uid FROM processes
osquery motivation ▪ What machines have chrome extension abc123 installed?.▪ Host visibility motivated by intrusion detection 100% OS API usage, no fork execve What is osquery? ▪ Explore your operative system using SQL.
osquery packages MacOS: brew install osquery Windows: choco install osqueryĪPT Linux: sudo apt-get install osquery RPM Linux: sudo yum install osquery FreeBSD: pkg install osquery.osquery shell ssh -p 2222 (Password: woprsummit).Agenda Part 3: IR using osquery ▪ File Integrity Monitoring.Agenda Part 2: Scaling osquery ▪ Do you need aĭaemon? osqueryd! ▪ Flags and configuration files ▪ Scheduled queries, packs and watchdog ▪ Remote API: TLS endpoint (break).It? ▪ osqueryi basics ▪ osquery tables ▪ Package files (break) Agenda Part 1: osquery, let’s talk about it ▪ What is.Detection and Incident Response With osquery Javier Marcos ▪ Security Engineer/Incident Responder ▪ Open source contributor (/javuto) ▪įormer IBM, Facebook, Uber and Airbnb $ whoami.