Facebook Builds Open-Source Osquery for Security Insight

The tool is designed to expose what's going on inside an OS. Osquery, Facebook's new open-source framework, could give enterprises new security insight.

Facebook osquery for security insight

Facebook today announced a new open-source framework, called osquery, that could yield new security insight for enterprises. Osquery is designed to turn operating system information into a format that can be queried using standard SQL-based statements.

"Osquery exposes an operating system as a high-performance relational database," Facebook developer Mike Arpaia wrote in a Facebook note. "This design allows you to write SQL-based queries efficiently and easily to explore operating systems."

While osquery makes use of SQL, the technology is not actually backed by any actual database, though it is designed to behave as though a database is present. Instead, the osquery platform coverts SQL queries into low-level operating system code to get the right answers. The actual osquery tables are created using an API built by Facebook that leverages the Python and C++ programming languages.

Among the tools Facebook is providing as part of the osquery open-source effort is the osqueryi interactive query console. According to Facebook's Github page on the tool, "osqueryi lets you run commands and query osquery tables."

From a logging perspective, the osquery platform enables an administrator to specify what items should be logged to a filesystem. Additionally, the osquery platform can be integrated with a security information and event management (SIEM) platform as well.

A Facebook spokesperson explained to eWEEK that osquery identifies and logs incidents and events, while a SIEM platform displays incidents and events. As such, osquery and a SIEM will work together.

From a security perspective, osquery can be used as an intrusion-detection program within an enterprise infrastructure. As part of the osquery platform, there is the "osqueryd" host-monitoring daemon that enables administrators to schedule queries.

"The daemon aggregates query results over time and generates logs which indicate state change in your infrastructure," Facebook's Github page on osquery states. "These logs can be used to gain insight into changes you may be interested in."

At the current point in time, osquerry is only a command-line tool, though the Facebook spokesperson noted that the development team is looking at creating a lightweight native application to enable visualization of operating system state.

"We're releasing several tools as a part of the open-source release, and we have more planned," Facebook's Arpaia wrote. "We're also looking forward to seeing how the community uses the code base to create even more interesting tools."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.