Mike Arpaia, Ted Reed, Mimeframe and Javier Marcos de Prado worked on osquery for Facebook, and Arpaia offered an overview of the tool in a post on the social network’s engineering blog:
Maintaining real-time insight into the current state of your infrastructure is important. At Facebook, we’ve been working on a framework called osquery, which attempts to approach the concept of low-level operating system monitoring a little differently.
osquery exposes an operating system as a high-performance relational database. This design allows you to write SQL-based queries efficiently and easily to explore operating systems. With osquery, SQL tables represent the current state of operating system attributes, such as running processes, loaded kernel modules and open network connections.
And on why Facebook chose to open-source osquery, Arpaia wrote:
After talking with several external companies, it became clear to us that maintaining insight into the low-level behavior of operating systems is not a problem that is unique to Facebook. Over the past few months, we have released the osquery code and binaries to a small number of external companies. They have successfully deployed and tested osquery within their environments and they’ve given us great feedback.
We’re excited to announce that we’re open-sourcing osquery today. You can check out the code and documentation on GitHub.
We’re looking forward to interacting with the community on future features. We do all of our work on osquery via GitHub, which makes working with external contributors a breeze. We hope you’ll see the potential in osquery and will build something amazing with us.