Deploying Osquery at Scale: A Comprehensive List of Open Source Tools

According to the official osquery docs, osquery (os=operating system) is an operating system instrumentation framework that exposes an operating system as a high-performance relational database. Using SQL, you can write a single query to explore any given data, regardless of operating system. (more on osquery basics here)

DevOps Connect:DevSecOps @ RSAC 2022

This, fundamentally, can help you see why osquery is a handy utility right out of the box, but the real value of the instrumentation agent is discovered when the data it can access is gathered and analyzed at scale, across an entire enterprise. When you look at developing a solution like this, osquery is a key part, but the entire system is not possible without additional components handling the transport, aggregation, storage, and presentation of all the rich data that osquery can provide. In some cases this could mean introducing a commercial offering, but in this post we’re going to outline how to make osquery work using supplementary open-source tools.

This list is by no means exhaustive, but we’ve distilled it down to some of the most commonly used tools for building an osquery ecosystem. We’ve split them into six respective functions: endpoint configuration, endpoint inspection, endpoint management, data transport, data storage, and data visualization. Combining one tool from each of these functional areas will be a Do-It-Yourself starting point for deploying osquery at scale.

Untitled Design (17) 

Endpoint Configuration/Deployment; How will you efficiently and seamlessly deliver osquery to the endpoint?

Chef, Ansible, and Puppet: while each of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Harry Hayward. Read the original post at: