osquery

This week Facebook open sourced a project called osquery, which offers the ability to access low-level operating system information through simple SQL queries (more precisely SQL as understood by SQLite). More information for how to navigate through the tables can be found in the github page.

Installing/building osquery in Linux (in my case Ubuntu 14.04 LTS) is as follows:

git clone https://github.com/facebook/osquery
cd osquery
make deps
make

Testing the project:   make test

Deploying and running it:  make install

make deps will take care of installing everything you need to compile osquery.

If you have any errors in your source list make deps will end with errors and osquery will not be installed, because the used packages are not available. Therefore make sure that you have the latest packages and don’t get any errors in the source.list:  sudo apt-get update  (also  sudo apt-get upgrade).  In case of errors, you can fix the source.list by editing:  sudo gedit /etc/apt/sources.list

Here is another good tutorial on installing and using osquery.