Important, but obscure, sysadmin tool osquery gets a foundation of its own

This relatively unknown, but useful, sysadmin tool is getting a new chance for glory via The Linux Foundation.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Tracking what's going on with your servers is never easy. Once you start having to keep an eye on hundreds -- thousands -- of server instances in a data center or cloud, things can get downright painful. That's where osquery can come in. This open-source project, which enables you to use SQL to monitor your servers, can help you keep on top of what's what in your servers.

But users think osquery's founder, Facebook, has been neglecting osquery. Going forward, Facebook has turned osquery over to The Linux Foundation. There, engineers and developers from Dactiv, Facebook, Google, Kolide, Trail of Bits, Uptycs, and other companies invested in osquery, will support it under the new foundation: The osquery Foundation.

That's a good thing because while you may not have heard of osquery, many major companies, such as Airbnb, Dropbox, Netflix, Palantir, Etsy, and Uber, rely on it. This project needed a new lease on life.

How does it work? Osquery exposes server operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data and low level system information. In osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.These are kept in a SQLite DBMS.

Osquery gets data for its SQL tables via a simple plugin and extensions API. Numerous osquery tables already exist and more are being written. Armed with this data, sysadmins can write SQL-based queries to monitor systems and detect and investigate anomalies within them.

Uptycs, which used osquery for its security platform, claims osquery represents a fundamental rethinking of the fragmented, siloed approach plaguing the security industry today. Instead of using the siloed, "one agent per function" approach, Facebook created osquery to extract and normalize data from any operating system.

Looking ahead, Teddy Reed, an engineering manager at Facebook and longtime osquery contributor, thinks, "The creation of the osquery Foundation is the best next step to support the community's ongoing development and priorities."

Mike Myers, principal security engineer at Trail of Bits, agrees. "Trail of Bits has long believed that osquery was destined to become an essential part of security infrastructure. Our involvement began in 2016 when we contributed the Windows platform support to osquery. Trail of Bits has only seen interest in the osquery project increase, and we are pleased that the project will transition to a foundation and enter a new stage of growth."

Moving on, the osquery Foundation will have an open governance model that encourages participation and technical contribution and will provide a framework for long-term stewardship. A Technical Advisory Board (TAB) made up of active community contributors will help facilitate the transition to this new model and drive the collective priorities set forth by the foundation members.

I hope this works out well. Osquery has already proven to be useful and, with more support, it will be more useful still.

Related Stories:

Editorial standards