Kolide’s osquery is an operating system instrumentation framework for Windows, macOS, Linux, and FreeBSD that makes low-level operating system analytics and monitoring both performant and intuitive. It does so by exposing an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes.
Duke uses osquery to capture critical information from computers that are not part of one of the university’s other endpoint management solutions. While these other solutions provide the ability to make modifications to participating computers, osquery can only provide information about participating computers, leaving all computer maintenance up to the user.
To get started with Duke osquery, download and install the pre-configured osquery client software available from the OIT Software site.
Once the osquery client software is installed and properly configured to report to Duke’s Kolide Fleet server, there’s nothing else to do except keep the osquery software updated (which is the responsibility of the user).
More information about osquery can be found in their documentation.