I’m excited to share that we have just released free online training to introduce you to osquery. Our goal was to combine quick setup and hands on labs with complete accessibility, so that anyone who wanted to give osquery a try, could.
Osquery offers introspection capabilities for macOS that were previously difficult to achieve. Osquery uses a universal agent to collect and return a nearly unlimited amount of endpoint data that can then be queried like a database using SQL. For macOS system administrators, this opens up a world of quickly accessible system monitoring capabilities that we'll explore here today.
In this post and video (click here to skip ahead to the video), we'll review some of the basic tasks for macOS system monitoring with osquery (osquery can be used for Linux and Windows as well, but because macOS was previously so underserved, I'm focusing there. Most commands we'll review will be the same or similar for other systems).
What we'll cover:
There have been several cases in the past year of major software vendors inadvertently introducing vulnerabilities through browser extensions. Last August, it was reported that 4.7M Chrome users were at risk due to malicious code injected into eight different Chrome extensions. This past November, Cisco's Webex extension - a widely adopted video conferencing platform - was found to have multiple vulnerabilities.
Filepath globbing (filename patterns with wildcards) support in osquery has regularly been a source of confusion, frustration, and lost time. You can certainly explore the wildcarding system in these osquery docs, but it is hoped that the notes below will help shed light on how globbing in osquery actually works to help save you some grief.