I'm feeling confused.. like I've seen this in the past [0] [1] [2] but had no idea the project was affiliated with Facebook. Oh wait, I was thinking of envdb [3].. and meanwhile envdb is renamed to Kolide [4] and is targeting "osquery command and control".

    Infinite loop detected.
    Program aborted.

[0] https://github.com/osquery/osquery-python

[1] https://encrypted.google.com/search?q=site%3Anews.ycombinato...

[2] https://news.ycombinator.com/item?id=8528460

[3] https://news.ycombinator.com/item?id=9324717

[4] https://github.com/kolide/kolide

I'm one of the founders of Kolide. Hopefully I can clarify these issues.

osquery (https://osquery.io/) is an endpoint instrumentation project from Facebook. It exposes system internals in a SQL interface (using SQLite internally) so that you can join disparate sources of data about system state. It originally launched with Linux and OSX support, and this announcement brings Windows support (though no pre-built binaries yet). The beauty of this is that we will soon be able to use the same, open-source endpoint instrumentation tool on a huge range of hosts.

Kolide (https://kolide.co/) aims to unlock the power of osquery's instrumentation through a unified command and control interface. Mike Arpaia (another Kolide founder) and I have been working on osquery since Mike started the project at Facebook. We believe strongly in osquery as a cross-platform open-source agent, and we feel that a proper management solution will greatly improve the impact of osquery. Soon, Kolide will enable security, devops, IT and compliance teams to gain insight and take action across their infrastructure.

EnvDB was a prototype project that led to the formation of Kolide.

Note: We write Go and JS and are hiring engineers who are interested in solving security problems and working on open source. Remote possible. (https://angel.co/kolideco/jobs)

osquery originated with Facebook and Kolide was founded by ex-Facebookers.

Can the link be changed from m.facebook.com to facebook.com?

I dunno, i find the m. version much more readable...

yc does not provide an edit button.

This is quite nice to see, when I first heard about osquery, I thought "cool WMI (well WQL) for Linux"

For Linux & Co it is called OMI: https://github.com/Microsoft/omi

And it is just the API, you can layer osquery or Powershell or Ansible or whatever on top.

This free Pluralsight course about Powershell for Linux with its inventor Jeffrey Snover has a module where they talk about DSC/OMI:

https://www.pluralsight.com/courses/play-by-play-microsoft-o...

So they have reinvented Windows Management Instrumentation (WMI)? I think it even uses similar pseudo-SQL queries.

Thank you, I'll stay with the Microsoft solution that will still work in 10 years.

The blog post by the team that did the port (Trail of Bits), mentions that it uses wmi and shims the data into osquery.

https://blog.trailofbits.com/2016/09/27/windows-network-secu...

Except WMI is, as the name implies, Windows-only.

Except that it works on Linux and Mac.

That was what I was thinking. I use it all the time.

WML queries over WMI do not give you the full generality of SQL, though.

This is very cool. I've recently come to a very sincere appreciation for SQL, to the point that I've dumped data into an in-memory SQLite instance just to to the analysis.

I use osquery for linux at my job. But I find its regex capabilities for specifying paths and various file names very restrictive. I really want to use this for FIM.

Is anyone doing a GraphQL API for OsQuery for Windows?