Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

02:00 PM
Connect Directly

Facebook Launches New Open-Source OS Monitoring Tool

Modular framework can be used to schedule and log SQL-based queries.

Today Facebook is shaking up the OS monitoring ecosystem with the release of a new open-source project around operating system analytics and monitoring for multiple platforms including Ubuntu, CentOS, and Mac OSX. Called "osquery," the project is based on a modular framework shared by Facebook, to offer the security community a more affordable means of low-level operating system monitoring. In addition to asking for community involvement to build out components for the osquery framework, Facebook hopes to engage researchers to help harden the code already built by including it in its corporate bug bounty program.

"After talking with several external companies, it became clear to us that maintaining insight into the low-level behavior of operating systems is not a problem which is unique to Facebook," says Mike Arpaia, a software engineer at Facebook, explaining the impetus for sharing the project. He says this follows several months of sharing osquery with several external companies, which have used it and offered feedback for a wider open-source release.

The osquery framework is designed to improve operating system troubleshooting and monitoring by representing abstract operating system concepts as database tables that can be queried.

"This design allows you to write SQL-based queries efficiently and easily to explore operating systems," Arpaia says. "With osquery, SQL tables represent the current state of operating system attributes, such as running processes, loaded kernel modules, and open network connections."

Two of the defining features of the project as it stands are its interactive query console and its high-performance host monitoring daemon. The query console, osqueryi, offers up an SQL interface for exploring an operating system in order to diagnose systems operations problems and troubleshoot performance issues, Arpaia says. Meanwhile, the monitoring daemon, osqueryd, gives users the power to schedule queries across their infrastructures.

"The daemon takes care of aggregating the query results over time and generates logs, which indicate state changes in your infrastructure," Arpaia says. "You can use this to maintain insight into the security, performance, configuration, and state of your entire infrastructure."

This logging can also integrate into various log aggregation and log management platforms through osquery's plugin architecture. The framework's modular codebase is designed so that components like osqueryi and osqueryd can be "easily strung together" via a number of documented public APIs.

"Osquery was built so that every environment-specific aspect of the toolchain can be hot-swapped at run-time with custom plugins. Use these interfaces to deeply integrate osquery into your infrastructure if one of the several existing plugins doesn't suit your needs."

As for the bug bounty, Arpaia also announced today that Facebook is offering a minimum price tag of $2,500 for responsibly disclosed vulnerabilities in osquery core code, with rewards scaling upward based on severity. Some of the classes of bugs eligible for a bounty include privilege escalation and remote code execution.

Arpaia encourages researchers to take particular care poring over osqueryd, because it has the largest attack surface of all the components. He told researchers that the easiest way to find vulnerabilities would be to look at the SQL tables that osqueryd depends on to schedule queries.

"Many tables, like the 'apps' table and the 'launchd' table on OS X, do quite a bit of file parsing. If I were trying to find a vulnerability in osquery, I would look at those tables first. For example, the plist parsing code can be found at osquery/filesystem/darwin/plist.mm. Perhaps a specially formatted property list file could be created that causes unexpected behavior."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
10/31/2014 | 5:33:32 PM
Without too much technical detail it sounds like they are attempting to develop a OS agnostic query language.  I noticed Windows wasn't mentioned in the article, do you happen to know if OSquery will include Microsoft support?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...