OSquery is an open source tool that uses basic SQL commands to leverage a relational data-model to describe a device. They are the most downloaded security repo on GitHub and were developed by Facebook Engineers.


Deploying OSQuery

OSQuery provides a simple PKG to push out the software. Using Addigy, we can push this out silently to all our machines quite easily.


1. Download the PKG from their official webpage. 

(At the time of this article they were on 3.2.6)

https://osquery.io/downloads/official



Now that we have the PKG, Lets create a Custom Software item with this PKG. We'll deploy this Custom Software item to our machines after it's complete.


2. Navigate to Policies -> Catalog -> Custom Software -> Add Software



This will bring up the modal to create your Custom Software. Set a Name, and Version then press Create.


3. Lets configure our Custom Software

From here, Upload your file on step 2, 

then press the Play button under instruction

this will auto generate a installation script for you.

Once thats complete, this is the minimum configuration needed, you can now save your custom software.




4. Now lets add that custom software to our policies.

Navigate to your policy (mine is Joel's Test)

Select Software,

Add your OSQuery Custom Software,

then Deploy Changes,

And your done! 



Here's a small example of the power of OSQuery, more examples can be found on their website.

https://osquery.io