As a system administrator, I’ve often written
python scripts that
query some other utility and then attempt to parse the value I need with
sed and regular expressions. This task is tedious,
and often needs to be adjusted as output isn’t consistent across OS versions.
osquery to my daily workflow has reduced the number of one-off scripts
I write to collect system information. In my previous blog post I showed you
how a query can be run by connecting the Go SDK to the osqueryd daemon.
Today I want to show you how you can use the
osqueryi shell as part
of your daily workflow.
For this example, I am interested in retrieving the EFI version of a macOS host. Knowing the EFI version of your hosts can come in handy, especially when there is a known security vulnerability but it can also be hard to parse with just bash.
If you’re using osquery, getting the EFI version is a simple query:
SELECT version from platform info;
Running the query in the
osqueryi shell will print the output in an ASCII
table, which is nice if we’re just exploring the data. But it’s a bit harder
to parse from a script. Luckily,
osqueryi has a few useful modes for
printing output, so we can choose the one convenient for us.
.mode MODE Set output mode where MODE is one of: csv Comma-separated values column Left-aligned columns see .width line One value per line list Values delimited by .separator string pretty Pretty printed SQL results (default)
Besides giving us a common query language and a wide range of tables
to instrument our systems, osquery lets us JOIN the tables to get structured
data from different tables. I can query multiple tables to get a
structured JSON response, and pass it to
jq or to a server with
Osquery also has an ecosystem of tools to help us understand this data across
osqueryd enables us to schedule the query as part of a query pack and then monitor it through our
log aggregation pipeline. Ad-hoc analysis is made easy by tools such as
Kolide Fleet, which can instantaneously
return results from any online hosts.
To learn more about remote querying osquery agents, check out our article Managing Osquery with Kolide Launcher and Fleet. For a more in-depth introduction to macOS instrumentation, see Monitoring macOS hosts with osquery.