With Osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes. This allows you to write SQL-based queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. My hope is that this project benefits the community and provides an additional capability to Osquery that may not be supported by all fleet managers. The collection of these experiences and research has led to the creation of this project. This project has been a 6-month long effort that resulted in the creation of 4 blog posts, 3 Udemy certificates/courses, and 3 separate Github repos. This blog will provide a deep dive into the architecture of this project, design decisions, and lessons learned as an evolving incident response engineer. This project set out on a mission to provide an open-source Osquery file carving server for file uploads and downloads that could be used with Kolide. Furthermore, not all projects have the ability to support the Osquery file carve functionality, more specifically the open-source version of Kolide Fleet.
However, Facebook did not release the server component of Osquery and that has led to the creation of many projects: Kolide, Uptycs, Doorman, OSCRTL, and SGT just to name a few.
Facebook released an awesome open-source tool named Osquery that is being maintained by a thriving community supported by the Linux Foundation and several product leaders such as Kolide, TrailOfBits, and Uptycs.
0 kommentar(er)
