Osquery: Expose the operating system as a relation...

[zwischenzug]

Available as a docker image:

  docker run -t -i imiell/osquery /bin/bash
  root@81fbc2076e1c/# osqueryi
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  osquery - being built, with love, at Facebook
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Connected to a transient in-memory database.
  Use ".open FILENAME" to reopen on a persistent database.
  osquery> select * from processes;
  +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+
  | name     | path                    | cmdline   | pid   | on_disk | wired_size | resident_size | phys_footprint | user_time | system_time | start_time | parent |
  +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+
  | bash     |                         | /bin/bash | 1     | -1      |            | 1764          | 18276          | 17        | 18          | 95476444   | 0      |
  | osqueryi | /usr/local/bin/osqueryi | osqueryi  | 19380 | 1       |            | 4312          | 110652         | 225       | 327         | 96321589   | 1      |
  +----------+-------------------------+-----------+-------+---------+------------+---------------+----------------+-----------+-------------+------------+--------+
  osquery>

[mrisse]

Do you have a public Dockerfile for your image? https://registry.hub.docker.com/u/imiell/osquery/

[zwischenzug]

https://github.com/ianmiell/shutit/blob/master/library/osque...

[zwischenzug]

ShutIt script here:

https://github.com/ianmiell/shutit/blob/master/library/osque...

There are deps on thrift and rocksdb modules defined at the bottom.

Should be useful for those looking to port to other CM tools.

cf:

http://ianmiell.github.io/shutit/