Osquery Monthly: October 2019

What's happening in the world of osquery?

Osquery Monthly is back!

There’s been a lot of action in the osquery community since the last osquery monthly. In this edition we discuss the governance transition to the Linux Foundation, the release of osquery 4.0, QueryCon 2019, and more.

If you have suggestions for osquery news to include in a future edition, please get in touch.

Osquery Governance Transition

As of June 2019, the osquery project is under the governance of the Linux Foundation. See the announcement from the Linux Foundation.

Osquery’s technical direction is now steered by a committee representing osquery use across the community. Dactiv’s Zach Wasserman sits on this committee, along with engineers from Facebook, Trail of Bits, Google, and Kolide.

Osquery 4.0 Released

After the transition to community governance, a top priority for the new technical committee was releasing a new stable osquery version. Thanks to tremendous effort from engineers at Trail of Bits and Facebook, the project transitioned to a new build and dependency system, with CMake and Buck build systems supporting the various platforms.

Osquery 4.0.2 became this new stable release, with a huge changelog (viewed in 4.0.1). Moving forward, stable releases are expected to return to a regular cadence.

QueryCon 2019

The second annual osquery conference took place in NYC in June, gathering the community during this time of transition.

Find slides from the talks on the program, and video recordings on YouTube.

For those looking to dig deeper into osquery internals, check out Alex Malone’s look at SQLite3 and RocksDB in osquery:

Tidbits

  • Carbon Black’s Query Exchange is a community query sharing platform that seems to have some vetting of queries from the Carbon Black team.
  • Recon Infosec’s Recon Hunt Queries is a nice resource for queries with organization by the targeted ATT&CK tactic.
  • There’s a new open-source osquery management server in town: osctrl.