Sysadmin Facebook OSQuery

eva2000 · Feb 5, 2017

Came across interesting tool called OSQuery GitHub - facebook/osquery: SQL powered operating system instrumentation, monitoring, and analytics. with official site at osquery.io

Linux install Install on Linux - osquery
Docs osquery
SQL Query SQL Introduction - osquery
osquery tables osquery :: Tables

CentOS 7 Install

Code (Text):

rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
yum install osquery

CentOS 6 Install

Code (Text):

rpm -ivh https://osquery-packages.s3.amazonaws.com/centos6/noarch/osquery-s3-centos6-repo-1-0.0.noarch.rpm
yum install osquery

Code (Text):

cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
service osqueryd start
service osqueryd status
chkconfig osqueryd on

osqueryi interactive list schemas so you know table fields to query on

Code (Text):

osqueryi
Using a virtual database. Need help, type '.help'
osquery> .schema
CREATE TABLE acpi_tables(`name` TEXT, `size` INTEGER, `md5` TEXT);
CREATE TABLE apt_sources(`name` TEXT, `base_uri` TEXT, `package_cache_file` TEXT, `release` TEXT, `component` TEXT, `version` TEXT, `maintainer` TEXT, `site` TEXT);
CREATE TABLE arp_cache(`address` TEXT, `mac` TEXT, `interface` TEXT, `permanent` TEXT);
CREATE TABLE augeas(`node` TEXT, `value` TEXT, `label` TEXT, `path` TEXT);
CREATE TABLE authorized_keys(`uid` BIGINT, `algorithm` TEXT, `key` TEXT, `key_file` TEXT);
CREATE TABLE block_devices(`name` TEXT, `parent` TEXT, `vendor` TEXT, `model` TEXT, `size` BIGINT, `uuid` TEXT, `type` TEXT, `label` TEXT);
CREATE TABLE carbon_black_info(`sensor_id` INTEGER, `config_name` TEXT, `collect_store_files` INTEGER, `collect_module_loads` INTEGER, `collect_module_info` INTEGER, `collect_file_mods` INTEGER, `collect_reg_mods` INTEGER, `collect_net_conns` INTEGER, `collect_processes` INTEGER, `collect_cross_processes` INTEGER, `collect_emet_events` INTEGER, `collect_data_file_writes` INTEGER, `collect_process_user_context` INTEGER, `collect_sensor_operations` INTEGER, `log_file_disk_quota_mb` INTEGER, `log_file_disk_quota_percentage` INTEGER, `protection_disabled` INTEGER, `sensor_ip_addr` TEXT, `sensor_backend_server` TEXT, `event_queue` INTEGER, `binary_queue` INTEGER);
CREATE TABLE chrome_extensions(`uid` BIGINT, `name` TEXT, `identifier` TEXT, `version` TEXT, `description` TEXT, `locale` TEXT, `update_url` TEXT, `author` TEXT, `persistent` INTEGER, `path` TEXT);
CREATE TABLE cpu_time(`core` INTEGER, `user` BIGINT, `nice` BIGINT, `system` BIGINT, `idle` BIGINT, `iowait` BIGINT, `irq` BIGINT, `softirq` BIGINT, `steal` BIGINT, `guest` BIGINT, `guest_nice` BIGINT);
CREATE TABLE cpuid(`feature` TEXT, `value` TEXT, `output_register` TEXT, `output_bit` INTEGER, `input_eax` TEXT);
CREATE TABLE crontab(`event` TEXT, `minute` TEXT, `hour` TEXT, `day_of_month` TEXT, `month` TEXT, `day_of_week` TEXT, `command` TEXT, `path` TEXT);
CREATE TABLE deb_packages(`name` TEXT, `version` TEXT, `source` TEXT, `size` BIGINT, `arch` TEXT, `revision` TEXT);
CREATE TABLE device_file(`device` TEXT, `partition` TEXT, `path` TEXT, `filename` TEXT, `inode` BIGINT, `uid` BIGINT, `gid` BIGINT, `mode` TEXT, `size` BIGINT, `block_size` INTEGER, `atime` BIGINT, `mtime` BIGINT, `ctime` BIGINT, `hard_links` INTEGER, `type` TEXT);
CREATE TABLE device_hash(`device` TEXT, `partition` TEXT, `inode` BIGINT, `md5` TEXT, `sha1` TEXT, `sha256` TEXT);
CREATE TABLE device_partitions(`device` TEXT, `partition` INTEGER, `label` TEXT, `type` TEXT, `offset` BIGINT, `blocks_size` BIGINT, `blocks` BIGINT, `inodes` BIGINT, `flags` INTEGER);
CREATE TABLE disk_encryption(`name` TEXT, `uuid` TEXT, `encrypted` INTEGER, `type` TEXT, `uid` TEXT, `user_uuid` TEXT);
CREATE TABLE dns_resolvers(`id` INTEGER, `type` TEXT, `address` TEXT, `netmask` TEXT, `options` BIGINT);
CREATE TABLE etc_hosts(`address` TEXT, `hostnames` TEXT);
CREATE TABLE etc_protocols(`name` TEXT, `number` INTEGER, `alias` TEXT, `comment` TEXT);
CREATE TABLE etc_services(`name` TEXT, `port` INTEGER, `protocol` TEXT, `aliases` TEXT, `comment` TEXT);
CREATE TABLE file(`path` TEXT PRIMARY KEY, `directory` TEXT, `filename` TEXT, `inode` BIGINT, `uid` BIGINT, `gid` BIGINT, `mode` TEXT, `device` BIGINT, `size` BIGINT, `block_size` INTEGER, `atime` BIGINT, `mtime` BIGINT, `ctime` BIGINT, `btime` BIGINT, `hard_links` INTEGER, `type` TEXT) WITHOUT ROWID;
CREATE TABLE file_events(`target_path` TEXT, `category` TEXT, `action` TEXT, `transaction_id` BIGINT, `inode` BIGINT, `uid` BIGINT, `gid` BIGINT, `mode` TEXT, `size` BIGINT, `atime` BIGINT, `mtime` BIGINT, `ctime` BIGINT, `md5` TEXT, `sha1` TEXT, `sha256` TEXT, `hashed` INTEGER, `time` BIGINT);
CREATE TABLE firefox_addons(`uid` BIGINT, `name` TEXT, `identifier` TEXT, `creator` TEXT, `type` TEXT, `version` TEXT, `description` TEXT, `source_url` TEXT, `visible` INTEGER, `active` INTEGER, `disabled` INTEGER, `autoupdate` INTEGER, `native` INTEGER, `location` TEXT, `path` TEXT);
CREATE TABLE groups(`gid` BIGINT PRIMARY KEY, `gid_signed` BIGINT, `groupname` TEXT) WITHOUT ROWID;
CREATE TABLE hardware_events(`action` TEXT, `path` TEXT, `type` TEXT, `driver` TEXT, `vendor` TEXT, `vendor_id` TEXT, `model` TEXT, `model_id` TEXT, `serial` TEXT, `revision` TEXT, `time` BIGINT);
CREATE TABLE hash(`path` TEXT PRIMARY KEY, `directory` TEXT, `md5` TEXT, `sha1` TEXT, `sha256` TEXT) WITHOUT ROWID;
CREATE TABLE interface_addresses(`interface` TEXT, `address` TEXT, `mask` TEXT, `broadcast` TEXT, `point_to_point` TEXT);
CREATE TABLE interface_details(`interface` TEXT, `mac` TEXT, `type` INTEGER, `mtu` INTEGER, `metric` INTEGER, `ipackets` BIGINT, `opackets` BIGINT, `ibytes` BIGINT, `obytes` BIGINT, `ierrors` BIGINT, `oerrors` BIGINT, `idrops` BIGINT, `odrops` BIGINT, `last_change` BIGINT, `description` TEXT, `manufacturer` TEXT, `connection_id` TEXT, `connection_status` TEXT, `enabled` INTEGER, `physical_adapter` INTEGER, `speed` INTEGER, `dhcp_enabled` INTEGER, `dhcp_lease_expires` TEXT, `dhcp_lease_obtained` TEXT, `dhcp_server` TEXT, `dns_domain` TEXT, `dns_domain_suffix_search_order` TEXT, `dns_host_name` TEXT, `dns_server_search_order` TEXT);
CREATE TABLE iptables(`filter_name` TEXT, `chain` TEXT, `policy` TEXT, `target` TEXT, `protocol` INTEGER, `src_ip` TEXT, `src_mask` TEXT, `iniface` TEXT, `iniface_mask` TEXT, `dst_ip` TEXT, `dst_mask` TEXT, `outiface` TEXT, `outiface_mask` TEXT, `match` TEXT, `packets` INTEGER, `bytes` INTEGER);
CREATE TABLE kernel_info(`version` TEXT, `arguments` TEXT, `path` TEXT, `device` TEXT);
CREATE TABLE kernel_integrity(`sycall_addr_modified` INTEGER, `text_segment_hash` TEXT);
CREATE TABLE kernel_modules(`name` TEXT, `size` TEXT, `used_by` TEXT, `status` TEXT, `address` TEXT);
CREATE TABLE known_hosts(`uid` BIGINT, `key` TEXT, `key_file` TEXT);
CREATE TABLE last(`username` TEXT, `tty` TEXT, `pid` INTEGER, `type` INTEGER, `time` INTEGER, `host` TEXT);
CREATE TABLE listening_ports(`pid` INTEGER, `port` INTEGER, `protocol` INTEGER, `family` INTEGER, `address` TEXT);
CREATE TABLE logged_in_users(`type` TEXT, `user` TEXT, `tty` TEXT, `host` TEXT, `time` INTEGER, `pid` INTEGER);
CREATE TABLE magic(`path` TEXT, `data` TEXT, `mime_type` TEXT, `mime_encoding` TEXT);
CREATE TABLE memory_info(`memory_total` BIGINT, `memory_free` BIGINT, `buffers` BIGINT, `cached` BIGINT, `swap_cached` BIGINT, `active` BIGINT, `inactive` BIGINT, `swap_total` BIGINT, `swap_free` BIGINT);
CREATE TABLE memory_map(`name` TEXT, `start` TEXT, `end` TEXT);
CREATE TABLE mounts(`device` TEXT, `device_alias` TEXT, `path` TEXT, `type` TEXT, `blocks_size` BIGINT, `blocks` BIGINT, `blocks_free` BIGINT, `blocks_available` BIGINT, `inodes` BIGINT, `inodes_free` BIGINT, `flags` TEXT);
CREATE TABLE msr(`processor_number` BIGINT, `turbo_disabled` BIGINT, `turbo_ratio_limit` BIGINT, `platform_info` BIGINT, `perf_ctl` BIGINT, `perf_status` BIGINT, `feature_control` BIGINT, `rapl_power_limit` BIGINT, `rapl_energy_status` BIGINT, `rapl_power_units` BIGINT);
CREATE TABLE opera_extensions(`uid` BIGINT, `name` TEXT, `identifier` TEXT, `version` TEXT, `description` TEXT, `locale` TEXT, `update_url` TEXT, `author` TEXT, `persistent` INTEGER, `path` TEXT);
CREATE TABLE os_version(`name` TEXT, `version` TEXT, `major` INTEGER, `minor` INTEGER, `patch` INTEGER, `build` TEXT, `platform` TEXT, `platform_like` TEXT, `codename` TEXT);
CREATE TABLE osquery_events(`name` TEXT, `publisher` TEXT, `type` TEXT, `subscriptions` INTEGER, `events` INTEGER, `refreshes` INTEGER, `active` INTEGER);
CREATE TABLE osquery_extensions(`uuid` BIGINT, `name` TEXT, `version` TEXT, `sdk_version` TEXT, `path` TEXT, `type` TEXT);
CREATE TABLE osquery_flags(`name` TEXT, `type` TEXT, `description` TEXT, `default_value` TEXT, `value` TEXT, `shell_only` INTEGER);
CREATE TABLE osquery_info(`pid` INTEGER, `version` TEXT, `config_hash` TEXT, `config_valid` INTEGER, `extensions` TEXT, `build_platform` TEXT, `build_distro` TEXT, `start_time` INTEGER, `watcher` INTEGER);
CREATE TABLE osquery_packs(`name` TEXT, `platform` TEXT, `version` TEXT, `shard` INTEGER, `discovery_cache_hits` INTEGER, `discovery_executions` INTEGER, `active` INTEGER);
CREATE TABLE osquery_registry(`registry` TEXT, `name` TEXT, `owner_uuid` INTEGER, `internal` INTEGER, `active` INTEGER);
CREATE TABLE osquery_schedule(`name` TEXT, `query` TEXT, `interval` INTEGER, `executions` BIGINT, `last_executed` BIGINT, `output_size` BIGINT, `wall_time` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `average_memory` BIGINT);
CREATE TABLE pci_devices(`pci_slot` TEXT, `pci_class` TEXT, `driver` TEXT, `vendor` TEXT, `vendor_id` TEXT, `model` TEXT, `model_id` TEXT);
CREATE TABLE platform_info(`vendor` TEXT, `version` TEXT, `date` TEXT, `revision` TEXT, `address` TEXT, `size` TEXT, `volume_size` INTEGER, `extra` TEXT);
CREATE TABLE portage_keywords(`package` TEXT, `version` TEXT, `keyword` TEXT, `mask` INTEGER, `unmask` INTEGER);
CREATE TABLE portage_packages(`package` TEXT, `version` TEXT, `slot` TEXT, `build_time` BIGINT, `repository` TEXT, `eapi` BIGINT, `size` BIGINT, `world` INTEGER);
CREATE TABLE portage_use(`package` TEXT, `version` TEXT, `use` TEXT);
CREATE TABLE process_envs(`pid` INTEGER PRIMARY KEY, `key` TEXT, `value` TEXT) WITHOUT ROWID;
CREATE TABLE process_events(`pid` BIGINT, `path` TEXT, `mode` BIGINT, `cmdline` TEXT, `cmdline_size` BIGINT, `env` TEXT, `env_count` BIGINT, `env_size` BIGINT, `uid` BIGINT, `euid` BIGINT, `gid` BIGINT, `egid` BIGINT, `owner_uid` BIGINT, `owner_gid` BIGINT, `atime` BIGINT, `mtime` BIGINT, `ctime` BIGINT, `btime` BIGINT, `overflows` TEXT, `parent` BIGINT, `time` BIGINT, `uptime` BIGINT, `access_time` BIGINT HIDDEN, `create_time` BIGINT HIDDEN, `change_time` BIGINT HIDDEN, `environment` TEXT HIDDEN, `environment_count` BIGINT HIDDEN, `environment_size` BIGINT HIDDEN, `modify_time` BIGINT HIDDEN);
CREATE TABLE process_memory_map(`pid` INTEGER PRIMARY KEY, `start` TEXT, `end` TEXT, `permissions` TEXT, `offset` BIGINT, `device` TEXT, `inode` INTEGER, `path` TEXT, `pseudo` INTEGER) WITHOUT ROWID;
CREATE TABLE process_open_files(`pid` BIGINT PRIMARY KEY, `fd` BIGINT, `path` TEXT) WITHOUT ROWID;
CREATE TABLE process_open_sockets(`pid` INTEGER PRIMARY KEY, `fd` BIGINT, `socket` BIGINT, `family` INTEGER, `protocol` INTEGER, `local_address` TEXT, `remote_address` TEXT, `local_port` INTEGER, `remote_port` INTEGER, `path` TEXT) WITHOUT ROWID;
CREATE TABLE processes(`pid` BIGINT PRIMARY KEY, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `phys_footprint` BIGINT HIDDEN) WITHOUT ROWID;
CREATE TABLE routes(`destination` TEXT, `netmask` TEXT, `gateway` TEXT, `source` TEXT, `flags` INTEGER, `interface` TEXT, `mtu` INTEGER, `metric` INTEGER, `type` TEXT);
CREATE TABLE rpm_package_files(`package` TEXT PRIMARY KEY, `path` TEXT, `username` TEXT, `groupname` TEXT, `mode` TEXT, `size` BIGINT, `sha256` TEXT) WITHOUT ROWID;
CREATE TABLE rpm_packages(`name` TEXT, `version` TEXT, `release` TEXT, `source` TEXT, `size` BIGINT, `sha1` TEXT, `arch` TEXT);
CREATE TABLE shared_memory(`shmid` INTEGER, `owner_uid` BIGINT, `creator_uid` BIGINT, `pid` BIGINT, `creator_pid` BIGINT, `atime` BIGINT, `dtime` BIGINT, `ctime` BIGINT, `permissions` TEXT, `size` BIGINT, `attached` INTEGER, `status` TEXT, `locked` INTEGER);
CREATE TABLE shell_history(`uid` BIGINT, `time` INTEGER, `command` TEXT, `history_file` TEXT);
CREATE TABLE smbios_tables(`number` INTEGER, `type` INTEGER, `description` TEXT, `handle` INTEGER, `header_size` INTEGER, `size` INTEGER, `md5` TEXT);
CREATE TABLE socket_events(`action` TEXT, `pid` BIGINT, `path` TEXT, `fd` TEXT, `success` INTEGER, `family` INTEGER, `protocol` INTEGER, `local_address` TEXT, `remote_address` TEXT, `local_port` INTEGER, `remote_port` INTEGER, `socket` TEXT, `time` BIGINT, `uptime` BIGINT);
CREATE TABLE sudoers(`header` TEXT, `rule_details` TEXT);
CREATE TABLE suid_bin(`path` TEXT, `username` TEXT, `groupname` TEXT, `permissions` TEXT);
CREATE TABLE syslog(`time` BIGINT, `datetime` TEXT, `host` TEXT, `severity` INTEGER, `facility` TEXT, `tag` TEXT, `message` TEXT);
CREATE TABLE system_controls(`name` TEXT PRIMARY KEY, `oid` TEXT, `subsystem` TEXT, `current_value` TEXT, `config_value` TEXT, `type` TEXT) WITHOUT ROWID;
CREATE TABLE system_info(`hostname` TEXT, `uuid` TEXT, `cpu_type` TEXT, `cpu_subtype` TEXT, `cpu_brand` TEXT, `cpu_physical_cores` INTEGER, `cpu_logical_cores` INTEGER, `physical_memory` BIGINT, `hardware_vendor` TEXT, `hardware_model` TEXT, `hardware_version` TEXT, `hardware_serial` TEXT, `computer_name` TEXT);
CREATE TABLE time(`weekday` TEXT, `year` INTEGER, `month` INTEGER, `day` INTEGER, `hour` INTEGER, `minutes` INTEGER, `seconds` INTEGER, `timezone` TEXT, `local_time` INTEGER, `local_timezone` TEXT, `unix_time` INTEGER, `timestamp` TEXT, `datetime` TEXT, `iso_8601` TEXT, `date_time` TEXT HIDDEN, `localtime` INTEGER HIDDEN);
CREATE TABLE uptime(`days` INTEGER, `hours` INTEGER, `minutes` INTEGER, `seconds` INTEGER, `total_seconds` BIGINT);
CREATE TABLE usb_devices(`usb_address` INTEGER, `usb_port` INTEGER, `vendor` TEXT, `vendor_id` TEXT, `model` TEXT, `model_id` TEXT, `serial` TEXT, `removable` INTEGER);
CREATE TABLE user_events(`uid` BIGINT, `pid` BIGINT, `message` TEXT, `type` INTEGER, `path` TEXT, `address` TEXT, `terminal` TEXT, `time` BIGINT, `uptime` BIGINT);
CREATE TABLE user_groups(`uid` BIGINT, `gid` BIGINT);
CREATE TABLE user_ssh_keys(`uid` BIGINT, `path` TEXT, `encrypted` INTEGER);
CREATE TABLE users(`uid` BIGINT PRIMARY KEY, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT) WITHOUT ROWID;
CREATE TABLE yara(`path` TEXT, `matches` TEXT, `count` INTEGER, `sig_group` TEXT, `sigfile` TEXT, `strings` TEXT, `tags` TEXT);
CREATE TABLE yara_events(`target_path` TEXT, `category` TEXT, `action` TEXT, `transaction_id` BIGINT, `matches` TEXT, `count` INTEGER, `time` BIGINT, `strings` TEXT, `tags` TEXT);

Example from SQL Introduction - osquery

so if i want to list processes by pid, name, path and resident size from processes table

Code (Text):

osquery> SELECT pid, name, path, resident_size FROM processes;
+-------+-----------------+-----------------------------------+---------------+
| pid   | name            | path                              | resident_size |
+-------+-----------------+-----------------------------------+---------------+
| 1     | systemd         | /usr/lib/systemd/systemd          | 3864000       |
| 10    | watchdog/0      |                                   |               |
| 10090 | kworker/1:3     |                                   |               |
| 10207 | sshd            | /usr/sbin/sshd                    | 5668000       |
| 10209 | bash            | /usr/bin/bash                     | 3580000       |
| 10464 | osqueryd        | /usr/bin/osqueryd                 | 9676000       |
| 10467 | osqueryd        | /usr/bin/osqueryd                 | 11452000      |
| 10912 | kworker/1:4     |                                   |               |
| 11    | watchdog/1      |                                   |               |
| 11032 | osqueryi        | /usr/bin/osqueryi                 | 11040000      |
| 1152  | nfsiod          |                                   |               |
| 12    | migration/1     |                                   |               |
| 12277 | kworker/2:0     |                                   |               |
| 1239  | nfsv4.0-svc     |                                   |               |
| 1281  | mysqld          | /usr/sbin/mysqld                  | 997944000     |
| 13    | ksoftirqd/1     |                                   |               |
| 1335  | master          | /usr/libexec/postfix/master       | 2256000       |
| 1337  | qmgr            | /usr/libexec/postfix/qmgr         | 4084000       |
| 1399  | agetty          | /usr/sbin/agetty                  | 824000        |
| 140   | kauditd         |                                   |               |
| 1400  | crond           | /usr/sbin/crond                   | 1620000       |
| 14191 | screen          | /usr/bin/screen                   | 70928000      |
| 14192 | bash            | /usr/bin/bash                     | 3616000       |
| 14301 | kworker/2:2     |                                   |               |
| 15    | kworker/1:0H    |                                   |               |
| 16    | watchdog/2      |                                   |               |
| 17    | migration/2     |                                   |               |
| 18    | ksoftirqd/2     |                                   |               |
| 18527 | kworker/5:1     |                                   |               |
| 2     | kthreadd        |                                   |               |
| 20    | kworker/2:0H    |                                   |               |
| 20283 | kworker/1:1     |                                   |               |
| 21    | watchdog/3      |                                   |               |
| 21172 | kworker/4:0     |                                   |               |
| 21179 | lfd - sleeping  | /usr/bin/perl                     | 24156000      |
| 21292 | kworker/4:1     |                                   |               |
| 22    | migration/3     |                                   |               |
| 22578 | memcached       | /usr/local/bin/memcached          | 3172000       |
| 23    | ksoftirqd/3     |                                   |               |
| 233   | ata_sff         |                                   |               |
| 23842 | pure-ftpd       | /usr/sbin/pure-ftpd               | 2776000       |
| 24187 | kworker/6:2     |                                   |               |
| 25    | kworker/3:0H    |                                   |               |
| 251   | scsi_eh_0       |                                   |               |
| 252   | scsi_tmf_0      |                                   |               |
| 253   | scsi_eh_1       |                                   |               |
| 254   | scsi_tmf_1      |                                   |               |
| 255   | scsi_eh_2       |                                   |               |
| 256   | scsi_tmf_2      |                                   |               |
| 257   | scsi_eh_3       |                                   |               |
| 258   | scsi_tmf_3      |                                   |               |
| 259   | scsi_eh_4       |                                   |               |
| 26    | watchdog/4      |                                   |               |
| 260   | scsi_tmf_4      |                                   |               |
| 261   | scsi_eh_5       |                                   |               |
| 262   | scsi_tmf_5      |                                   |               |
| 27    | migration/4     |                                   |               |
| 27907 | kworker/7:2     |                                   |               |
| 28    | ksoftirqd/4     |                                   |               |
| 28556 | kworker/5:0     |                                   |               |
| 287   | kworker/2:1H    |                                   |               |
| 288   | kworker/0:1H    |                                   |               |
| 289   | kworker/1:1H    |                                   |               |
| 290   | kworker/4:1H    |                                   |               |
| 291   | kworker/5:1H    |                                   |               |
| 292   | kworker/7:1H    |                                   |               |
| 297   | kworker/3:1H    |                                   |               |
| 3     | ksoftirqd/0     |                                   |               |
| 30    | kworker/4:0H    |                                   |               |
| 301   | kworker/6:1H    |                                   |               |
| 30705 | kworker/u16:1   |                                   |               |
| 31    | watchdog/5      |                                   |               |
| 31307 | kworker/1:0     |                                   |               |
| 32    | migration/5     |                                   |               |
| 32288 | kworker/u16:0   |                                   |               |
| 325   | bioset          |                                   |               |
| 326   | md1_raid1       |                                   |               |
| 33    | ksoftirqd/5     |                                   |               |
| 3397  | kworker/3:1     |                                   |               |
| 346   | jbd2/md1-8      |                                   |               |
| 347   | ext4-rsv-conver |                                   |               |
| 35    | kworker/5:0H    |                                   |               |
| 36    | watchdog/6      |                                   |               |
| 37    | migration/6     |                                   |               |
| 38    | ksoftirqd/6     |                                   |               |
| 40    | kworker/6:0H    |                                   |               |
| 402   | systemd-journal | /usr/lib/systemd/systemd-journald | 65004000      |
| 41    | watchdog/7      |                                   |               |
| 418   | rpciod          |                                   |               |
| 42    | migration/7     |                                   |               |
| 43    | ksoftirqd/7     |                                   |               |
| 434   | lvmetad         | /usr/sbin/lvmetad                 | 1292000       |
| 449   | systemd-udevd   | /usr/lib/systemd/systemd-udevd    | 1840000       |
| 45    | kworker/7:0H    |                                   |               |
| 47    | khelper         |                                   |               |
| 4754  | nginx           | /usr/local/sbin/nginx             | 24448000      |
| 4755  | nginx           | /usr/local/sbin/nginx             | 29720000      |
| 4756  | nginx           | /usr/local/sbin/nginx             | 29720000      |
| 4758  | nginx           | /usr/local/sbin/nginx             | 29716000      |
| 4759  | nginx           | /usr/local/sbin/nginx             | 29724000      |
| 4779  | php-fpm         | /usr/local/sbin/php-fpm           | 9348000       |
| 48    | kdevtmpfs       |                                   |               |
| 49    | netns           |                                   |               |
| 492   | rpcbind         | /usr/sbin/rpcbind                 | 1368000       |
| 5     | kworker/0:0H    |                                   |               |
| 50    | khungtaskd      |                                   |               |
| 51    | writeback       |                                   |               |
| 52    | kintegrityd     |                                   |               |
| 5261  | kworker/7:0     |                                   |               |
| 527   | ttm_swap        |                                   |               |
| 528   | kipmi0          |                                   |               |
| 529   | kvm-irqfd-clean |                                   |               |
| 53    | bioset          |                                   |               |
| 533   | bioset          |                                   |               |
| 534   | md2_raid1       |                                   |               |
| 54    | kblockd         |                                   |               |
| 556   | jbd2/md2-8      |                                   |               |
| 557   | ext4-rsv-conver |                                   |               |
| 56    | md              |                                   |               |
| 5602  | kworker/3:0     |                                   |               |
| 5604  | kworker/1:2     |                                   |               |
| 564   | auditd          | /usr/sbin/auditd                  | 1832000       |
| 5686  | kworker/6:1     |                                   |               |
| 586   | rngd            | /usr/sbin/rngd                    | 588000        |
| 61    | kswapd0         |                                   |               |
| 610   | polkitd         | /usr/lib/polkit-1/polkitd         | 12140000      |
| 613   | gssproxy        | /usr/sbin/gssproxy                | 1200000       |
| 619   | systemd-logind  | /usr/lib/systemd/systemd-logind   | 1992000       |
| 62    | ksmd            |                                   |               |
| 621   | ntpd            | /usr/sbin/ntpd                    | 2384000       |
| 623   | haveged         | /usr/sbin/haveged                 | 4132000       |
| 625   | mdadm           | /usr/sbin/mdadm                   | 632000        |
| 63    | khugepaged      |                                   |               |
| 6312  | kworker/0:0     |                                   |               |
| 64    | fsnotify_mark   |                                   |               |
| 641   | smartd          | /usr/sbin/smartd                  | 2328000       |
| 65    | crypto          |                                   |               |
| 650   | irqbalance      | /usr/sbin/irqbalance              | 1204000       |
| 651   | dbus-daemon     | /usr/bin/dbus-daemon              | 1628000       |
| 7     | migration/0     |                                   |               |
| 73    | kthrotld        |                                   |               |
| 76    | kmpath_rdacd    |                                   |               |
| 77    | kpsmoused       |                                   |               |
| 79    | ipv6_addrconf   |                                   |               |
| 794   | scsi_eh_6       |                                   |               |
| 795   | scsi_tmf_6      |                                   |               |
| 796   | usb-storage     |                                   |               |
| 797   | scsi_eh_7       |                                   |               |
| 798   | scsi_tmf_7      |                                   |               |
| 799   | usb-storage     |                                   |               |
| 8     | rcu_bh          |                                   |               |
| 800   | scsi_eh_8       |                                   |               |
| 801   | scsi_tmf_8      |                                   |               |
| 802   | usb-storage     |                                   |               |
| 8845  | pickup          | /usr/libexec/postfix/pickup       | 4064000       |
| 9     | rcu_sched       |                                   |               |
| 918   | tuned           | /usr/bin/python2.7                | 18348000      |
| 923   | sshd            | /usr/sbin/sshd                    | 1328000       |
| 925   | rsyslogd        | /usr/sbin/rsyslogd                | 35696000      |
| 9644  | kworker/0:1     |                                   |               |
| 98    | deferwq         |                                   |               |
+-------+-----------------+-----------------------------------+---------------+

Same query but order by resident_size asecending

Code (Text):

osquery> SELECT pid, name, path, resident_size FROM processes ORDER BY resident_size ASC;
+-------+-----------------+-----------------------------------+---------------+
| pid   | name            | path                              | resident_size |
+-------+-----------------+-----------------------------------+---------------+
| 10    | watchdog/0      |                                   |               |
| 10090 | kworker/1:3     |                                   |               |
| 10912 | kworker/1:4     |                                   |               |
| 11    | watchdog/1      |                                   |               |
| 1152  | nfsiod          |                                   |               |
| 12    | migration/1     |                                   |               |
| 12277 | kworker/2:0     |                                   |               |
| 1239  | nfsv4.0-svc     |                                   |               |
| 13    | ksoftirqd/1     |                                   |               |
| 140   | kauditd         |                                   |               |
| 14301 | kworker/2:2     |                                   |               |
| 15    | kworker/1:0H    |                                   |               |
| 16    | watchdog/2      |                                   |               |
| 17    | migration/2     |                                   |               |
| 18    | ksoftirqd/2     |                                   |               |
| 18527 | kworker/5:1     |                                   |               |
| 2     | kthreadd        |                                   |               |
| 20    | kworker/2:0H    |                                   |               |
| 20283 | kworker/1:1     |                                   |               |
| 21    | watchdog/3      |                                   |               |
| 21172 | kworker/4:0     |                                   |               |
| 21292 | kworker/4:1     |                                   |               |
| 22    | migration/3     |                                   |               |
| 23    | ksoftirqd/3     |                                   |               |
| 233   | ata_sff         |                                   |               |
| 24187 | kworker/6:2     |                                   |               |
| 25    | kworker/3:0H    |                                   |               |
| 251   | scsi_eh_0       |                                   |               |
| 252   | scsi_tmf_0      |                                   |               |
| 253   | scsi_eh_1       |                                   |               |
| 254   | scsi_tmf_1      |                                   |               |
| 255   | scsi_eh_2       |                                   |               |
| 256   | scsi_tmf_2      |                                   |               |
| 257   | scsi_eh_3       |                                   |               |
| 258   | scsi_tmf_3      |                                   |               |
| 259   | scsi_eh_4       |                                   |               |
| 26    | watchdog/4      |                                   |               |
| 260   | scsi_tmf_4      |                                   |               |
| 261   | scsi_eh_5       |                                   |               |
| 262   | scsi_tmf_5      |                                   |               |
| 27    | migration/4     |                                   |               |
| 27907 | kworker/7:2     |                                   |               |
| 28    | ksoftirqd/4     |                                   |               |
| 28556 | kworker/5:0     |                                   |               |
| 287   | kworker/2:1H    |                                   |               |
| 288   | kworker/0:1H    |                                   |               |
| 289   | kworker/1:1H    |                                   |               |
| 290   | kworker/4:1H    |                                   |               |
| 291   | kworker/5:1H    |                                   |               |
| 292   | kworker/7:1H    |                                   |               |
| 297   | kworker/3:1H    |                                   |               |
| 3     | ksoftirqd/0     |                                   |               |
| 30    | kworker/4:0H    |                                   |               |
| 301   | kworker/6:1H    |                                   |               |
| 30705 | kworker/u16:1   |                                   |               |
| 31    | watchdog/5      |                                   |               |
| 31307 | kworker/1:0     |                                   |               |
| 32    | migration/5     |                                   |               |
| 32288 | kworker/u16:0   |                                   |               |
| 325   | bioset          |                                   |               |
| 326   | md1_raid1       |                                   |               |
| 33    | ksoftirqd/5     |                                   |               |
| 3397  | kworker/3:1     |                                   |               |
| 346   | jbd2/md1-8      |                                   |               |
| 347   | ext4-rsv-conver |                                   |               |
| 35    | kworker/5:0H    |                                   |               |
| 36    | watchdog/6      |                                   |               |
| 37    | migration/6     |                                   |               |
| 38    | ksoftirqd/6     |                                   |               |
| 40    | kworker/6:0H    |                                   |               |
| 41    | watchdog/7      |                                   |               |
| 418   | rpciod          |                                   |               |
| 42    | migration/7     |                                   |               |
| 43    | ksoftirqd/7     |                                   |               |
| 45    | kworker/7:0H    |                                   |               |
| 47    | khelper         |                                   |               |
| 48    | kdevtmpfs       |                                   |               |
| 49    | netns           |                                   |               |
| 5     | kworker/0:0H    |                                   |               |
| 50    | khungtaskd      |                                   |               |
| 51    | writeback       |                                   |               |
| 52    | kintegrityd     |                                   |               |
| 5261  | kworker/7:0     |                                   |               |
| 527   | ttm_swap        |                                   |               |
| 528   | kipmi0          |                                   |               |
| 529   | kvm-irqfd-clean |                                   |               |
| 53    | bioset          |                                   |               |
| 533   | bioset          |                                   |               |
| 534   | md2_raid1       |                                   |               |
| 54    | kblockd         |                                   |               |
| 556   | jbd2/md2-8      |                                   |               |
| 557   | ext4-rsv-conver |                                   |               |
| 56    | md              |                                   |               |
| 5602  | kworker/3:0     |                                   |               |
| 5604  | kworker/1:2     |                                   |               |
| 5686  | kworker/6:1     |                                   |               |
| 61    | kswapd0         |                                   |               |
| 62    | ksmd            |                                   |               |
| 63    | khugepaged      |                                   |               |
| 6312  | kworker/0:0     |                                   |               |
| 64    | fsnotify_mark   |                                   |               |
| 65    | crypto          |                                   |               |
| 7     | migration/0     |                                   |               |
| 73    | kthrotld        |                                   |               |
| 76    | kmpath_rdacd    |                                   |               |
| 77    | kpsmoused       |                                   |               |
| 79    | ipv6_addrconf   |                                   |               |
| 794   | scsi_eh_6       |                                   |               |
| 795   | scsi_tmf_6      |                                   |               |
| 796   | usb-storage     |                                   |               |
| 797   | scsi_eh_7       |                                   |               |
| 798   | scsi_tmf_7      |                                   |               |
| 799   | usb-storage     |                                   |               |
| 8     | rcu_bh          |                                   |               |
| 800   | scsi_eh_8       |                                   |               |
| 801   | scsi_tmf_8      |                                   |               |
| 802   | usb-storage     |                                   |               |
| 9     | rcu_sched       |                                   |               |
| 9644  | kworker/0:1     |                                   |               |
| 98    | deferwq         |                                   |               |
| 586   | rngd            | /usr/sbin/rngd                    | 588000        |
| 625   | mdadm           | /usr/sbin/mdadm                   | 632000        |
| 1399  | agetty          | /usr/sbin/agetty                  | 824000        |
| 613   | gssproxy        | /usr/sbin/gssproxy                | 1200000       |
| 650   | irqbalance      | /usr/sbin/irqbalance              | 1204000       |
| 434   | lvmetad         | /usr/sbin/lvmetad                 | 1292000       |
| 923   | sshd            | /usr/sbin/sshd                    | 1328000       |
| 492   | rpcbind         | /usr/sbin/rpcbind                 | 1368000       |
| 1400  | crond           | /usr/sbin/crond                   | 1620000       |
| 651   | dbus-daemon     | /usr/bin/dbus-daemon              | 1628000       |
| 564   | auditd          | /usr/sbin/auditd                  | 1832000       |
| 449   | systemd-udevd   | /usr/lib/systemd/systemd-udevd    | 1840000       |
| 619   | systemd-logind  | /usr/lib/systemd/systemd-logind   | 1992000       |
| 1335  | master          | /usr/libexec/postfix/master       | 2256000       |
| 641   | smartd          | /usr/sbin/smartd                  | 2328000       |
| 621   | ntpd            | /usr/sbin/ntpd                    | 2384000       |
| 23842 | pure-ftpd       | /usr/sbin/pure-ftpd               | 2776000       |
| 22578 | memcached       | /usr/local/bin/memcached          | 3172000       |
| 10209 | bash            | /usr/bin/bash                     | 3580000       |
| 14192 | bash            | /usr/bin/bash                     | 3616000       |
| 1     | systemd         | /usr/lib/systemd/systemd          | 3864000       |
| 8845  | pickup          | /usr/libexec/postfix/pickup       | 4064000       |
| 1337  | qmgr            | /usr/libexec/postfix/qmgr         | 4084000       |
| 623   | haveged         | /usr/sbin/haveged                 | 4132000       |
| 10207 | sshd            | /usr/sbin/sshd                    | 5668000       |
| 4779  | php-fpm         | /usr/local/sbin/php-fpm           | 9348000       |
| 10464 | osqueryd        | /usr/bin/osqueryd                 | 9676000       |
| 11032 | osqueryi        | /usr/bin/osqueryi                 | 11416000      |
| 10467 | osqueryd        | /usr/bin/osqueryd                 | 11452000      |
| 610   | polkitd         | /usr/lib/polkit-1/polkitd         | 12140000      |
| 918   | tuned           | /usr/bin/python2.7                | 18348000      |
| 21179 | lfd - sleeping  | /usr/bin/perl                     | 24156000      |
| 4754  | nginx           | /usr/local/sbin/nginx             | 24448000      |
| 4758  | nginx           | /usr/local/sbin/nginx             | 29716000      |
| 4755  | nginx           | /usr/local/sbin/nginx             | 29720000      |
| 4756  | nginx           | /usr/local/sbin/nginx             | 29720000      |
| 4759  | nginx           | /usr/local/sbin/nginx             | 29724000      |
| 925   | rsyslogd        | /usr/sbin/rsyslogd                | 35704000      |
| 402   | systemd-journal | /usr/lib/systemd/systemd-journald | 65012000      |
| 14191 | screen          | /usr/bin/screen                   | 70928000      |
| 1281  | mysqld          | /usr/sbin/mysqld                  | 997944000     |
+-------+-----------------+-----------------------------------+---------------+

Or instead of path, use cmdline field

Code (Text):

osquery> SELECT pid, name, cmdline, resident_size FROM processes ORDER BY resident_size ASC;
+-------+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+
| pid   | name            | cmdline                                                                                                                                                   | resident_size |
+-------+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+
| 10    | watchdog/0      |                                                                                                                                                           |               |
| 10912 | kworker/1:4     |                                                                                                                                                           |               |
| 11    | watchdog/1      |                                                                                                                                                           |               |
| 1152  | nfsiod          |                                                                                                                                                           |               |
| 12    | migration/1     |                                                                                                                                                           |               |
| 12277 | kworker/2:0     |                                                                                                                                                           |               |
| 1239  | nfsv4.0-svc     |                                                                                                                                                           |               |
| 13    | ksoftirqd/1     |                                                                                                                                                           |               |
| 140   | kauditd         |                                                                                                                                                           |               |
| 14301 | kworker/2:2     |                                                                                                                                                           |               |
| 15    | kworker/1:0H    |                                                                                                                                                           |               |
| 16    | watchdog/2      |                                                                                                                                                           |               |
| 17    | migration/2     |                                                                                                                                                           |               |
| 18    | ksoftirqd/2     |                                                                                                                                                           |               |
| 18527 | kworker/5:1     |                                                                                                                                                           |               |
| 2     | kthreadd        |                                                                                                                                                           |               |
| 20    | kworker/2:0H    |                                                                                                                                                           |               |
| 20283 | kworker/1:1     |                                                                                                                                                           |               |
| 21    | watchdog/3      |                                                                                                                                                           |               |
| 21172 | kworker/4:0     |                                                                                                                                                           |               |
| 21292 | kworker/4:1     |                                                                                                                                                           |               |
| 22    | migration/3     |                                                                                                                                                           |               |
| 23    | ksoftirqd/3     |                                                                                                                                                           |               |
| 233   | ata_sff         |                                                                                                                                                           |               |
| 24187 | kworker/6:2     |                                                                                                                                                           |               |
| 25    | kworker/3:0H    |                                                                                                                                                           |               |
| 251   | scsi_eh_0       |                                                                                                                                                           |               |
| 252   | scsi_tmf_0      |                                                                                                                                                           |               |
| 253   | scsi_eh_1       |                                                                                                                                                           |               |
| 254   | scsi_tmf_1      |                                                                                                                                                           |               |
| 255   | scsi_eh_2       |                                                                                                                                                           |               |
| 256   | scsi_tmf_2      |                                                                                                                                                           |               |
| 257   | scsi_eh_3       |                                                                                                                                                           |               |
| 258   | scsi_tmf_3      |                                                                                                                                                           |               |
| 259   | scsi_eh_4       |                                                                                                                                                           |               |
| 26    | watchdog/4      |                                                                                                                                                           |               |
| 260   | scsi_tmf_4      |                                                                                                                                                           |               |
| 261   | scsi_eh_5       |                                                                                                                                                           |               |
| 262   | scsi_tmf_5      |                                                                                                                                                           |               |
| 27    | migration/4     |                                                                                                                                                           |               |
| 27907 | kworker/7:2     |                                                                                                                                                           |               |
| 28    | ksoftirqd/4     |                                                                                                                                                           |               |
| 28556 | kworker/5:0     |                                                                                                                                                           |               |
| 287   | kworker/2:1H    |                                                                                                                                                           |               |
| 288   | kworker/0:1H    |                                                                                                                                                           |               |
| 289   | kworker/1:1H    |                                                                                                                                                           |               |
| 290   | kworker/4:1H    |                                                                                                                                                           |               |
| 291   | kworker/5:1H    |                                                                                                                                                           |               |
| 292   | kworker/7:1H    |                                                                                                                                                           |               |
| 297   | kworker/3:1H    |                                                                                                                                                           |               |
| 3     | ksoftirqd/0     |                                                                                                                                                           |               |
| 30    | kworker/4:0H    |                                                                                                                                                           |               |
| 301   | kworker/6:1H    |                                                                                                                                                           |               |
| 30705 | kworker/u16:1   |                                                                                                                                                           |               |
| 31    | watchdog/5      |                                                                                                                                                           |               |
| 31307 | kworker/1:0     |                                                                                                                                                           |               |
| 32    | migration/5     |                                                                                                                                                           |               |
| 32288 | kworker/u16:0   |                                                                                                                                                           |               |
| 325   | bioset          |                                                                                                                                                           |               |
| 326   | md1_raid1       |                                                                                                                                                           |               |
| 33    | ksoftirqd/5     |                                                                                                                                                           |               |
| 3397  | kworker/3:1     |                                                                                                                                                           |               |
| 346   | jbd2/md1-8      |                                                                                                                                                           |               |
| 347   | ext4-rsv-conver |                                                                                                                                                           |               |
| 35    | kworker/5:0H    |                                                                                                                                                           |               |
| 36    | watchdog/6      |                                                                                                                                                           |               |
| 37    | migration/6     |                                                                                                                                                           |               |
| 38    | ksoftirqd/6     |                                                                                                                                                           |               |
| 40    | kworker/6:0H    |                                                                                                                                                           |               |
| 41    | watchdog/7      |                                                                                                                                                           |               |
| 418   | rpciod          |                                                                                                                                                           |               |
| 42    | migration/7     |                                                                                                                                                           |               |
| 43    | ksoftirqd/7     |                                                                                                                                                           |               |
| 45    | kworker/7:0H    |                                                                                                                                                           |               |
| 47    | khelper         |                                                                                                                                                           |               |
| 48    | kdevtmpfs       |                                                                                                                                                           |               |
| 49    | netns           |                                                                                                                                                           |               |
| 5     | kworker/0:0H    |                                                                                                                                                           |               |
| 50    | khungtaskd      |                                                                                                                                                           |               |
| 51    | writeback       |                                                                                                                                                           |               |
| 52    | kintegrityd     |                                                                                                                                                           |               |
| 5261  | kworker/7:0     |                                                                                                                                                           |               |
| 527   | ttm_swap        |                                                                                                                                                           |               |
| 528   | kipmi0          |                                                                                                                                                           |               |
| 529   | kvm-irqfd-clean |                                                                                                                                                           |               |
| 53    | bioset          |                                                                                                                                                           |               |
| 533   | bioset          |                                                                                                                                                           |               |
| 534   | md2_raid1       |                                                                                                                                                           |               |
| 54    | kblockd         |                                                                                                                                                           |               |
| 556   | jbd2/md2-8      |                                                                                                                                                           |               |
| 557   | ext4-rsv-conver |                                                                                                                                                           |               |
| 56    | md              |                                                                                                                                                           |               |
| 5602  | kworker/3:0     |                                                                                                                                                           |               |
| 5604  | kworker/1:2     |                                                                                                                                                           |               |
| 5686  | kworker/6:1     |                                                                                                                                                           |               |
| 61    | kswapd0         |                                                                                                                                                           |               |
| 62    | ksmd            |                                                                                                                                                           |               |
| 63    | khugepaged      |                                                                                                                                                           |               |
| 6312  | kworker/0:0     |                                                                                                                                                           |               |
| 64    | fsnotify_mark   |                                                                                                                                                           |               |
| 65    | crypto          |                                                                                                                                                           |               |
| 7     | migration/0     |                                                                                                                                                           |               |
| 73    | kthrotld        |                                                                                                                                                           |               |
| 76    | kmpath_rdacd    |                                                                                                                                                           |               |
| 77    | kpsmoused       |                                                                                                                                                           |               |
| 79    | ipv6_addrconf   |                                                                                                                                                           |               |
| 794   | scsi_eh_6       |                                                                                                                                                           |               |
| 795   | scsi_tmf_6      |                                                                                                                                                           |               |
| 796   | usb-storage     |                                                                                                                                                           |               |
| 797   | scsi_eh_7       |                                                                                                                                                           |               |
| 798   | scsi_tmf_7      |                                                                                                                                                           |               |
| 799   | usb-storage     |                                                                                                                                                           |               |
| 8     | rcu_bh          |                                                                                                                                                           |               |
| 800   | scsi_eh_8       |                                                                                                                                                           |               |
| 801   | scsi_tmf_8      |                                                                                                                                                           |               |
| 802   | usb-storage     |                                                                                                                                                           |               |
| 9     | rcu_sched       |                                                                                                                                                           |               |
| 9644  | kworker/0:1     |                                                                                                                                                           |               |
| 98    | deferwq         |                                                                                                                                                           |               |
| 586   | rngd            | /sbin/rngd -f                                                                                                                                             | 588000        |
| 625   | mdadm           | /sbin/mdadm --monitor --scan -f --pid-file=/var/run/mdadm/mdadm.pid                                                                                       | 632000        |
| 1399  | agetty          | /sbin/agetty --noclear tty1 linux                                                                                                                         | 824000        |
| 613   | gssproxy        | /usr/sbin/gssproxy -D                                                                                                                                     | 1200000       |
| 650   | irqbalance      | /usr/sbin/irqbalance --foreground                                                                                                                         | 1204000       |
| 434   | lvmetad         | /usr/sbin/lvmetad -f                                                                                                                                      | 1292000       |
| 923   | sshd            | /usr/sbin/sshd                                                                                                                                            | 1328000       |
| 492   | rpcbind         | /sbin/rpcbind -w                                                                                                                                          | 1368000       |
| 1400  | crond           | /usr/sbin/crond -n                                                                                                                                        | 1620000       |
| 651   | dbus-daemon     | /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation                                                                    | 1628000       |
| 564   | auditd          | /sbin/auditd -n                                                                                                                                           | 1832000       |
| 449   | systemd-udevd   | /usr/lib/systemd/systemd-udevd                                                                                                                            | 1840000       |
| 619   | systemd-logind  | /usr/lib/systemd/systemd-logind                                                                                                                           | 1992000       |
| 1335  | master          | /usr/libexec/postfix/master -w                                                                                                                            | 2256000       |
| 641   | smartd          | /usr/sbin/smartd -n -q never                                                                                                                              | 2328000       |
| 621   | ntpd            | /usr/sbin/ntpd -u ntp:ntp -g                                                                                                                              | 2384000       |
| 23842 | pure-ftpd       | pure-ftpd (SERVER)                                                                                                                                        | 2776000       |
| 22578 | memcached       | /usr/local/bin/memcached -d -m 8 -l 127.0.0.1 -p 11211 -c 2048 -b 2048 -R 200 -t 4 -n 72 -f 1.25 -u nobody -o modern -P /var/run/memcached/memcached1.pid | 3172000       |
| 10209 | bash            | -bash                                                                                                                                                     | 3580000       |
| 14192 | bash            | /bin/bash                                                                                                                                                 | 3616000       |
| 1     | systemd         | /usr/lib/systemd/systemd --switched-root --system --deserialize 20                                                                                        | 3864000       |
| 8845  | pickup          | pickup -l -t unix -u                                                                                                                                      | 4064000       |
| 1337  | qmgr            | qmgr -l -t unix -u                                                                                                                                        | 4084000       |
| 623   | haveged         | /usr/sbin/haveged -w 4067 -v 1 --Foreground                                                                                                               | 4132000       |
| 10207 | sshd            | sshd: root@pts/0                                                                                                                                          | 5668000       |
| 4779  | php-fpm         | php-fpm: master process (/usr/local/etc/php-fpm.conf)                                                                                                     | 9348000       |
| 10464 | osqueryd        | /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf                                                           | 9676000       |
| 11032 | osqueryi        | osqueryi                                                                                                                                                  | 11416000      |
| 10467 | osqueryd        | osqueryd: worker                                                                                                                                          | 11452000      |
| 610   | polkitd         | /usr/lib/polkit-1/polkitd --no-debug                                                                                                                      | 12140000      |
| 918   | tuned           | /usr/bin/python -Es /usr/sbin/tuned -l -P                                                                                                                 | 18348000      |
| 21179 | lfd - sleeping  | lfd - sleeping                                                                                                                                            | 24156000      |
| 4754  | nginx           | nginx: master process /usr/local/sbin/nginx -c /usr/local/nginx/conf/nginx.conf                                                                           | 24448000      |
| 4758  | nginx           | nginx: worker process                                                                                                                                     | 29716000      |
| 4755  | nginx           | nginx: worker process                                                                                                                                     | 29720000      |
| 4756  | nginx           | nginx: worker process                                                                                                                                     | 29720000      |
| 4759  | nginx           | nginx: worker process                                                                                                                                     | 29724000      |
| 925   | rsyslogd        | /usr/sbin/rsyslogd -n                                                                                                                                     | 35716000      |
| 402   | systemd-journal | /usr/lib/systemd/systemd-journald                                                                                                                         | 65036000      |
| 14191 | screen          | SCREEN -dmS llvm                                                                                                                                          | 70928000      |
| 1281  | mysqld          | /usr/sbin/mysqld                                                                                                                                          | 997944000     |
+-------+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+

eva2000 · Feb 5, 2017

Other examples

Code (Text):

osquery> SELECT pid, name, path, resident_size, total_size, user_time, system_time, start_time, threads, state FROM processes ORDER BY resident_size ASC;
+-------+-----------------+-----------------------------------+---------------+-------------+-----------+-------------+------------+---------+-------+
| pid   | name            | path                              | resident_size | total_size  | user_time | system_time | start_time | threads | state |
+-------+-----------------+-----------------------------------+---------------+-------------+-----------+-------------+------------+---------+-------+
| 10    | watchdog/0      |                                   |               |             | 0         | 290         | 0          | 1       | S     |
| 10912 | kworker/1:4     |                                   |               |             | 0         | 0           | 1106590    | 1       | S     |
| 11    | watchdog/1      |                                   |               |             | 0         | 53          | 0          | 1       | S     |
| 1152  | nfsiod          |                                   |               |             | 0         | 0           | 8          | 1       | S     |
| 12    | migration/1     |                                   |               |             | 0         | 64          | 0          | 1       | S     |
| 12277 | kworker/2:0     |                                   |               |             | 0         | 3           | 1017532    | 1       | S     |
| 1239  | nfsv4.0-svc     |                                   |               |             | 0         | 0           | 8          | 1       | S     |
| 13    | ksoftirqd/1     |                                   |               |             | 0         | 291         | 0          | 1       | S     |
| 140   | kauditd         |                                   |               |             | 0         | 96          | 0          | 1       | S     |
| 14301 | kworker/2:2     |                                   |               |             | 0         | 0           | 1019243    | 1       | S     |
| 15    | kworker/1:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 16    | watchdog/2      |                                   |               |             | 0         | 43          | 0          | 1       | S     |
| 17    | migration/2     |                                   |               |             | 0         | 67          | 0          | 1       | S     |
| 18    | ksoftirqd/2     |                                   |               |             | 0         | 270         | 0          | 1       | S     |
| 18527 | kworker/5:1     |                                   |               |             | 0         | 34          | 684564     | 1       | S     |
| 2     | kthreadd        |                                   |               |             | 0         | 4           | 0          | 1       | S     |
| 20    | kworker/2:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 20283 | kworker/1:1     |                                   |               |             | 0         | 1           | 1060703    | 1       | S     |
| 21    | watchdog/3      |                                   |               |             | 0         | 48          | 0          | 1       | S     |
| 21172 | kworker/4:0     |                                   |               |             | 0         | 0           | 1026683    | 1       | S     |
| 21292 | kworker/4:1     |                                   |               |             | 0         | 32          | 700883     | 1       | S     |
| 22    | migration/3     |                                   |               |             | 0         | 69          | 0          | 1       | S     |
| 23    | ksoftirqd/3     |                                   |               |             | 0         | 260         | 0          | 1       | S     |
| 233   | ata_sff         |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 24187 | kworker/6:2     |                                   |               |             | 0         | 59          | 681624     | 1       | S     |
| 25    | kworker/3:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 251   | scsi_eh_0       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 252   | scsi_tmf_0      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 253   | scsi_eh_1       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 254   | scsi_tmf_1      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 255   | scsi_eh_2       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 256   | scsi_tmf_2      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 257   | scsi_eh_3       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 258   | scsi_tmf_3      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 259   | scsi_eh_4       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 26    | watchdog/4      |                                   |               |             | 0         | 45          | 0          | 1       | S     |
| 260   | scsi_tmf_4      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 261   | scsi_eh_5       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 262   | scsi_tmf_5      |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 27    | migration/4     |                                   |               |             | 0         | 113         | 0          | 1       | S     |
| 27907 | kworker/7:2     |                                   |               |             | 0         | 92          | 862931     | 1       | S     |
| 28    | ksoftirqd/4     |                                   |               |             | 0         | 516         | 0          | 1       | S     |
| 28556 | kworker/5:0     |                                   |               |             | 0         | 0           | 965303     | 1       | S     |
| 287   | kworker/2:1H    |                                   |               |             | 0         | 532         | 1          | 1       | S     |
| 288   | kworker/0:1H    |                                   |               |             | 0         | 98          | 1          | 1       | S     |
| 289   | kworker/1:1H    |                                   |               |             | 0         | 821         | 1          | 1       | S     |
| 290   | kworker/4:1H    |                                   |               |             | 0         | 107         | 1          | 1       | S     |
| 291   | kworker/5:1H    |                                   |               |             | 0         | 165         | 1          | 1       | S     |
| 292   | kworker/7:1H    |                                   |               |             | 0         | 56          | 1          | 1       | S     |
| 297   | kworker/3:1H    |                                   |               |             | 0         | 312         | 1          | 1       | S     |
| 3     | ksoftirqd/0     |                                   |               |             | 0         | 309         | 0          | 1       | S     |
| 30    | kworker/4:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 301   | kworker/6:1H    |                                   |               |             | 0         | 3           | 1          | 1       | S     |
| 30705 | kworker/u16:1   |                                   |               |             | 0         | 155         | 855623     | 1       | S     |
| 31    | watchdog/5      |                                   |               |             | 0         | 44          | 0          | 1       | S     |
| 31307 | kworker/1:0     |                                   |               |             | 0         | 67          | 555624     | 1       | S     |
| 32    | migration/5     |                                   |               |             | 0         | 110         | 0          | 1       | S     |
| 32288 | kworker/u16:0   |                                   |               |             | 0         | 211         | 685169     | 1       | S     |
| 325   | bioset          |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 326   | md1_raid1       |                                   |               |             | 0         | 4284        | 1          | 1       | S     |
| 33    | ksoftirqd/5     |                                   |               |             | 0         | 247         | 0          | 1       | S     |
| 3397  | kworker/3:1     |                                   |               |             | 0         | 22          | 1042441    | 1       | S     |
| 346   | jbd2/md1-8      |                                   |               |             | 0         | 400         | 1          | 1       | S     |
| 347   | ext4-rsv-conver |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 35    | kworker/5:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 36    | watchdog/6      |                                   |               |             | 0         | 43          | 0          | 1       | S     |
| 37    | migration/6     |                                   |               |             | 0         | 112         | 0          | 1       | S     |
| 38    | ksoftirqd/6     |                                   |               |             | 0         | 244         | 0          | 1       | S     |
| 40    | kworker/6:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 41    | watchdog/7      |                                   |               |             | 0         | 47          | 0          | 1       | S     |
| 418   | rpciod          |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 42    | migration/7     |                                   |               |             | 0         | 108         | 0          | 1       | S     |
| 43    | ksoftirqd/7     |                                   |               |             | 0         | 250         | 0          | 1       | S     |
| 45    | kworker/7:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 47    | khelper         |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 48    | kdevtmpfs       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 49    | netns           |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 5     | kworker/0:0H    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 50    | khungtaskd      |                                   |               |             | 0         | 13          | 0          | 1       | S     |
| 51    | writeback       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 52    | kintegrityd     |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 5261  | kworker/7:0     |                                   |               |             | 0         | 0           | 1100655    | 1       | S     |
| 527   | ttm_swap        |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 528   | kipmi0          |                                   |               |             | 0         | 11          | 1          | 1       | S     |
| 529   | kvm-irqfd-clean |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 53    | bioset          |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 533   | bioset          |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 534   | md2_raid1       |                                   |               |             | 0         | 8734        | 1          | 1       | S     |
| 54    | kblockd         |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 556   | jbd2/md2-8      |                                   |               |             | 0         | 92          | 1          | 1       | S     |
| 557   | ext4-rsv-conver |                                   |               |             | 0         | 0           | 1          | 1       | S     |
| 56    | md              |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 5602  | kworker/3:0     |                                   |               |             | 0         | 0           | 1100988    | 1       | S     |
| 5604  | kworker/1:2     |                                   |               |             | 0         | 1           | 1100995    | 1       | S     |
| 5686  | kworker/6:1     |                                   |               |             | 0         | 0           | 1065803    | 1       | S     |
| 61    | kswapd0         |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 62    | ksmd            |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 63    | khugepaged      |                                   |               |             | 0         | 68          | 0          | 1       | S     |
| 6312  | kworker/0:0     |                                   |               |             | 0         | 0           | 1101743    | 1       | S     |
| 64    | fsnotify_mark   |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 65    | crypto          |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 7     | migration/0     |                                   |               |             | 0         | 66          | 0          | 1       | S     |
| 73    | kthrotld        |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 76    | kmpath_rdacd    |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 77    | kpsmoused       |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 79    | ipv6_addrconf   |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 794   | scsi_eh_6       |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 795   | scsi_tmf_6      |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 796   | usb-storage     |                                   |               |             | 0         | 1135        | 2          | 1       | S     |
| 797   | scsi_eh_7       |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 798   | scsi_tmf_7      |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 799   | usb-storage     |                                   |               |             | 0         | 903         | 2          | 1       | S     |
| 8     | rcu_bh          |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 800   | scsi_eh_8       |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 801   | scsi_tmf_8      |                                   |               |             | 0         | 0           | 2          | 1       | S     |
| 802   | usb-storage     |                                   |               |             | 0         | 806         | 2          | 1       | S     |
| 9     | rcu_sched       |                                   |               |             | 0         | 2556        | 0          | 1       | S     |
| 9644  | kworker/0:1     |                                   |               |             | 0         | 300         | 1049244    | 1       | S     |
| 98    | deferwq         |                                   |               |             | 0         | 0           | 0          | 1       | S     |
| 586   | rngd            | /usr/sbin/rngd                    | 588000        | 4368000     | 405216    | 1396        | 1          | 1       | S     |
| 625   | mdadm           | /usr/sbin/mdadm                   | 632000        | 7104000     | 2         | 6           | 2          | 1       | S     |
| 1399  | agetty          | /usr/sbin/agetty                  | 824000        | 110036000   | 0         | 0           | 13         | 1       | S     |
| 613   | gssproxy        | /usr/sbin/gssproxy                | 1200000       | 201268000   | 17        | 8           | 2          | 6       | S     |
| 650   | irqbalance      | /usr/sbin/irqbalance              | 1204000       | 19300000    | 351       | 767         | 2          | 1       | S     |
| 434   | lvmetad         | /usr/sbin/lvmetad                 | 1292000       | 118948000   | 0         | 0           | 1          | 1       | S     |
| 923   | sshd            | /usr/sbin/sshd                    | 1328000       | 82524000    | 6         | 48          | 8          | 1       | S     |
| 492   | rpcbind         | /usr/sbin/rpcbind                 | 1368000       | 65004000    | 10        | 18          | 168010     | 1       | S     |
| 1400  | crond           | /usr/sbin/crond                   | 1620000       | 126308000   | 41        | 198         | 13         | 1       | S     |
| 651   | dbus-daemon     | /usr/bin/dbus-daemon              | 1628000       | 24460000    | 2102      | 489         | 2          | 1       | S     |
| 564   | auditd          | /usr/sbin/auditd                  | 1832000       | 55472000    | 131       | 223         | 1          | 2       | S     |
| 449   | systemd-udevd   | /usr/lib/systemd/systemd-udevd    | 1840000       | 43576000    | 2         | 2           | 1          | 1       | S     |
| 619   | systemd-logind  | /usr/lib/systemd/systemd-logind   | 1992000       | 24488000    | 703       | 689         | 2          | 1       | S     |
| 1335  | master          | /usr/libexec/postfix/master       | 2256000       | 89692000    | 22        | 69          | 8          | 1       | S     |
| 641   | smartd          | /usr/sbin/smartd                  | 2328000       | 24380000    | 3         | 2           | 2          | 1       | S     |
| 621   | ntpd            | /usr/sbin/ntpd                    | 2384000       | 44648000    | 23        | 34          | 2          | 1       | S     |
| 23842 | pure-ftpd       | /usr/sbin/pure-ftpd               | 2776000       | 202924000   | 0         | 0           | 1064253    | 1       | S     |
| 22578 | memcached       | /usr/local/bin/memcached          | 3172000       | 424008000   | 79        | 20          | 1064689    | 10      | S     |
| 10209 | bash            | /usr/bin/bash                     | 3580000       | 116808000   | 2         | 0           | 1106050    | 1       | S     |
| 14192 | bash            | /usr/bin/bash                     | 3616000       | 116772000   | 4         | 2           | 677912     | 1       | S     |
| 1     | systemd         | /usr/lib/systemd/systemd          | 3864000       | 190872000   | 1504      | 1342        | 0          | 1       | S     |
| 8845  | pickup          | /usr/libexec/postfix/pickup       | 4064000       | 89796000    | 0         | 0           | 1104527    | 1       | S     |
| 1337  | qmgr            | /usr/libexec/postfix/qmgr         | 4084000       | 89972000    | 5         | 13          | 8          | 1       | S     |
| 623   | haveged         | /usr/sbin/haveged                 | 4132000       | 12132000    | 11523     | 42112       | 2          | 1       | S     |
| 10207 | sshd            | /usr/sbin/sshd                    | 5668000       | 143588000   | 3         | 1           | 1106047    | 1       | S     |
| 4779  | php-fpm         | /usr/local/sbin/php-fpm           | 9348000       | 350456000   | 8         | 4           | 1064803    | 1       | S     |
| 10464 | osqueryd        | /usr/bin/osqueryd                 | 9676000       | 217972000   | 10        | 1           | 1106145    | 2       | S     |
| 11032 | osqueryi        | /usr/bin/osqueryi                 | 11416000      | 229048000   | 10        | 1           | 1106691    | 3       | R     |
| 10467 | osqueryd        | /usr/bin/osqueryd                 | 11452000      | 259500000   | 2         | 0           | 1106145    | 7       | S     |
| 610   | polkitd         | /usr/lib/polkit-1/polkitd         | 12140000      | 527700000   | 1157      | 248         | 1          | 6       | S     |
| 918   | tuned           | /usr/bin/python2.7                | 18348000      | 479476000   | 1281      | 69          | 8          | 4       | S     |
| 21179 | lfd - sleeping  | /usr/bin/perl                     | 24156000      | 172180000   | 165       | 572         | 1026683    | 1       | S     |
| 4754  | nginx           | /usr/local/sbin/nginx             | 24448000      | 104296000   | 0         | 0           | 1064803    | 1       | S     |
| 4758  | nginx           | /usr/local/sbin/nginx             | 29716000      | 104296000   | 0         | 88          | 1064803    | 1       | S     |
| 4755  | nginx           | /usr/local/sbin/nginx             | 29720000      | 104296000   | 0         | 94          | 1064803    | 1       | S     |
| 4756  | nginx           | /usr/local/sbin/nginx             | 29720000      | 104296000   | 0         | 90          | 1064803    | 1       | S     |
| 4759  | nginx           | /usr/local/sbin/nginx             | 29724000      | 104296000   | 87        | 0           | 1064803    | 1       | S     |
| 925   | rsyslogd        | /usr/sbin/rsyslogd                | 35736000      | 388676000   | 743       | 443         | 8          | 3       | S     |
| 402   | systemd-journal | /usr/lib/systemd/systemd-journald | 65084000      | 114776000   | 712       | 680         | 1          | 1       | S     |
| 14191 | screen          | /usr/bin/screen                   | 70928000      | 197296000   | 156       | 103         | 677912     | 1       | S     |
| 1281  | mysqld          | /usr/sbin/mysqld                  | 997944000     | 11681976000 | 5982      | 3465        | 8          | 33      | S     |
+-------+-----------------+-----------------------------------+---------------+-------------+-----------+-------------+------------+---------+-------+

eva2000 · Feb 5, 2017

Get Kernel info

Code (Text):

osquery> SELECT * FROM kernel_info;
+---------------------------+----------------------------------------------------------------------------------+-----------------------------------------+----------+
| version                   | arguments                                                                        | path                                    | device   |
+---------------------------+----------------------------------------------------------------------------------+-----------------------------------------+----------+
| 3.10.0-514.6.1.el7.x86_64 | ro net.ifnames=0 rd.md.uuid=545f412d:400a8f10:a4d2adc2:26fd5302 LANG=en_US.UTF-8 | /boot/vmlinuz-3.10.0-514.6.1.el7.x86_64 | /dev/md1 |
+---------------------------+----------------------------------------------------------------------------------+-----------------------------------------+----------+

Get logged in users

Code (Text):

osquery> SELECT * FROM logged_in_users;
+-----------+----------+-------+---------------------------+------------+-------+
| type      | user     | tty   | host                      | time       | pid   |
+-----------+----------+-------+---------------------------+------------+-------+
| boot_time | reboot   | ~     | 3.10.0-514.6.1.el7.x86_64 | 1485139719 | 0     |
| runlevel  | runlevel | ~     | 3.10.0-514.6.1.el7.x86_64 | 1485139732 | 51    |
| login     | LOGIN    | tty1  |                           | 1485139732 | 1399  |
| user      | root     | pts/0 | XX.XXX.XXX.XXX             | 1486245768 | 10209 |
| dead      |          | pts/1 |                           | 1485676426 | 1687  |
| dead      |          | pts/2 |                           | 1486007717 | 11397 |
| dead      |          | pts/1 | XX.XXX.XXX.XXX:S.0         | 1485817635 | 14192 |
| dead      |          | pts/3 |                           | 1486007717 | 11762 |
| dead      |          | pts/4 |                           | 1486005369 | 30034 |
+-----------+----------+-------+---------------------------+------------+-------+

Get process name and listening port and pid for processes listening on port 80

Code (Text):

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.port= '80';
+-------+------+------+
| name  | port | pid  |
+-------+------+------+
| nginx | 80   | 4759 |
+-------+------+------+

eva2000 · Feb 5, 2017

Get system uptime

Code (Text):

osquery> SELECT * FROM uptime;
+------+-------+---------+---------+---------------+
| days | hours | minutes | seconds | total_seconds |
+------+-------+---------+---------+---------------+
| 12   | 20    | 12      | 42      | 1109562       |
+------+-------+---------+---------+---------------+

Get cpuid info

Code (Text):

osquery> SELECT * FROM cpuid;
+---------------+------------------------------------------+-----------------+------------+------------+
| feature       | value                                    | output_register | output_bit | input_eax  |
+---------------+------------------------------------------+-----------------+------------+------------+
| vendor        | GenuineIntel                             | ebx,edx,ecx     | 0          | 0          |
| product_name  | Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz | eax,ebx,ecx,edx | 0          | 0x80000002 |
| hypervisor_id | 000000070000034000000340                 | ebx,ecx,edx     | 0          | 0x40000000 |
| serial        | 000306c30000000000000000                 | eax,eax,ecx     | 0          | 1,3        |
| family        | 0600                                     | eax             | 0          | 1          |
| pae           | 1                                        | edx             | 6          | 1          |
| msr           | 1                                        | edx             | 5          | 1          |
| mtrr          | 1                                        | edx             | 12         | 1          |
| acpi          | 1                                        | edx             | 22         | 1          |
| htt           | 1                                        | edx             | 28         | 1          |
| ia64          | 0                                        | edx             | 30         | 1          |
| vmx           | 1                                        | ecx             | 5          | 1          |
| smx           | 0                                        | ecx             | 6          | 1          |
| hypervisor    | 0                                        | ecx             | 31         | 1          |
| aes           | 1                                        | ecx             | 25         | 1          |
| sgx           | 0                                        | ebx             | 2          | 7          |
| mpx           | 0                                        | ebx             | 14         | 7          |
| sha           | 0                                        | ebx             | 29         | 7          |
| sgx0          | 00000007000003400000034000000000         | eax,ebx,ecx,edx | 0          | 18         |
| sgx1          | 00000001000000000000000000000000         | eax,ebx,ecx,edx | 0          | 18,1       |
+---------------+------------------------------------------+-----------------+------------+------------+

Get OS info

Code (Text):

osquery> SELECT * FROM os_version;
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| name         | version  | major | minor | patch | build | platform | platform_like | codename |
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| CentOS Linux | 7 (Core) | 7     |       |       |       | centos   | rhel fedora   |          |
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+

Get system info

Code (Text):

osquery> SELECT * FROM system_info;
+---------------------+--------------------------------------+----------+-------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+------------------+------------------------+---------------------+
| hostname            | uuid                                 | cpu_type | cpu_subtype | cpu_brand                                | cpu_physical_cores | cpu_logical_cores | physical_memory | hardware_vendor       | hardware_model | hardware_version | hardware_serial        | computer_name       |
+---------------------+--------------------------------------+----------+-------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+------------------+------------------------+---------------------+
| host.domain.com | 7E3E8FCD-9C42-BEC0-C8D4-3497F600C53F | 6        | 60          | Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz | 8                  | 8                 | 33698562048     | ASUSTeK COMPUTER INC. | P9D-M Series   | Rev 1.xx         | To be filled by O.E.M. | host.domain.com |
+---------------------+--------------------------------------+----------+-------------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+------------------+------------------------+---------------------+

or on command line

Code (Text):

osqueryi "SELECT hostname, cpu_type, cpu_brand, cpu_physical_cores, cpu_logical_cores, physical_memory, hardware_vendor, hardware_model FROM system_info"
+---------------------+----------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+
| hostname            | cpu_type | cpu_brand                                | cpu_physical_cores | cpu_logical_cores | physical_memory | hardware_vendor       | hardware_model |
+---------------------+----------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+
| host.domain.com | 6        | Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz | 8                  | 8                 | 33698562048     | ASUSTeK COMPUTER INC. | P9D-M Series   |
+---------------------+----------+------------------------------------------+--------------------+-------------------+-----------------+-----------------------+----------------+

or

Code (Text):

osqueryi "SELECT hostname, cpu_brand AS brand, cpu_physical_cores AS cores, cpu_logical_cores AS threads, physical_memory AS memory, hardware_vendor AS Vendor, hardware_model AS model FROM system_info"            
+---------------------+------------------------------------------+-------+---------+-------------+-----------------------+--------------+
| hostname            | brand                                    | cores | threads | memory      | Vendor                | model        |
+---------------------+------------------------------------------+-------+---------+-------------+-----------------------+--------------+
| host.domain.com | Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz | 8     | 8       | 33698562048 | ASUSTeK COMPUTER INC. | P9D-M Series |
+---------------------+------------------------------------------+-------+---------+-------------+-----------------------+--------------+

eva2000 · Feb 5, 2017

Get cronjobs via crontab table

Code (Text):

osquery> SELECT * FROM crontab;
+-------+--------+------+--------------+-------+-------------+------------------------------------------------------------+------------------------+
| event | minute | hour | day_of_month | month | day_of_week | command                                                    | path                   |
+-------+--------+------+--------------+-------+-------------+------------------------------------------------------------+------------------------+
|       | */1    | *    | *            | *     | *           | root /usr/local/rtm/bin/rtm 9 > /dev/null 2> /dev/null     | /etc/crontab           |
|       | 01     | *    | *            | *     | *           | root run-parts /etc/cron.hourly                            | /etc/cron.d/0hourly    |
|       | 56     | 14   | *            | *     | *           | root /usr/sbin/csf -u                                      | /etc/cron.d/csf_update |
|       | 0      | 0    | *            | *     | *           | root /usr/sbin/csf --lfd restart > /dev/null 2>&1          | /etc/cron.d/lfd-cron   |
|       | 0      | 1    | *            | *     | Sun         | root /usr/sbin/raid-check                                  | /etc/cron.d/raid-check |
|       | */10   | *    | *            | *     | *           | root /usr/lib64/sa/sa1 1 1                                 | /etc/cron.d/sysstat    |
|       | 53     | 23   | *            | *     | *           | root /usr/lib64/sa/sa2 -A                                  | /etc/cron.d/sysstat    |
|       | 11     | */23 | *            | *     | *           | /usr/local/src/centminmod/tools/autoprotect.sh 2>/dev/null | /var/spool/cron/root   |
|       | 0      | */4  | *            | *     | *           | /usr/bin/cminfo_updater 2>/dev/null                        | /var/spool/cron/root   |
+-------+--------+------+--------------+-------+-------------+------------------------------------------------------------+------------------------+
osquery>

eva2000 · Feb 5, 2017

Get pci devices

Code (Text):

osquery> SELECT * FROM pci_devices;
+--------------+--------------------------+------------+-------------------------+-----------+--------------------------------------------------------------------------+----------+
| pci_slot     | pci_class                | driver     | vendor                  | vendor_id | model                                                                    | model_id |
+--------------+--------------------------+------------+-------------------------+-----------+--------------------------------------------------------------------------+----------+
| 0000:00:00.0 | Bridge                   | hsw_uncore | Intel Corporation       | 8086      | 4th Gen Core Processor DRAM Controller                                   | 0C00     |
| 0000:00:14.0 | Serial bus controller    | xhci_hcd   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family USB xHCI                             | 8C31     |
| 0000:00:16.0 | Communication controller |            | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family MEI Controller                       | 8C3A     |
| 0000:00:16.1 | Communication controller |            | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family MEI Controller                       | 8C3B     |
| 0000:00:1a.0 | Serial bus controller    | ehci-pci   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family USB EHCI                             | 8C2D     |
| 0000:00:1c.0 | Bridge                   | pcieport   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family PCI Express Root Port                | 8C10     |
| 0000:01:00.0 | Network controller       | igb        | Intel Corporation       | 8086      | I210 Gigabit Network Connection                                          | 1533     |
| 0000:00:1c.1 | Bridge                   | pcieport   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family PCI Express Root Port                | 8C12     |
| 0000:02:00.0 | Network controller       | igb        | Intel Corporation       | 8086      | I210 Gigabit Network Connection                                          | 1533     |
| 0000:00:1c.2 | Bridge                   | pcieport   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family PCI Express Root Port                | 8C14     |
| 0000:03:00.0 | Bridge                   |            | ASPEED Technology, Inc. | 1A03      | AST1150 PCI-to-PCI Bridge                                                | 1150     |
| 0000:04:00.0 | Display controller       | ast        | ASPEED Technology, Inc. | 1A03      | ASPEED Graphics Family                                                   | 2000     |
| 0000:00:1d.0 | Serial bus controller    | ehci-pci   | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family USB EHCI                             | 8C26     |
| 0000:00:1f.0 | Bridge                   | lpc_ich    | Intel Corporation       | 8086      | C224 Series Chipset Family Server Standard SKU LPC Controller            | 8C54     |
| 0000:00:1f.2 | Mass storage controller  | ahci       | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode] | 8C02     |
| 0000:00:1f.3 | Serial bus controller    |            | Intel Corporation       | 8086      | 8 Series/C220 Series Chipset Family SMBus Controller                     | 8C22     |
+--------------+--------------------------+------------+-------------------------+-----------+--------------------------------------------------------------------------+----------+

eva2000 · Feb 5, 2017

Get shell command history for uid=0 root user limit to first 6 entries

Code (Text):

osquery> SELECT * FROM shell_history WHERE uid=0 LIMIT 6;
+-----+------+------------------------------------------------------------------------------------------------------------------------+---------------------+
| uid | time | command                                                                                                                | history_file        |
+-----+------+------------------------------------------------------------------------------------------------------------------------+---------------------+
| 0   |      | top -c                                                                                                                 | /root/.bash_history |
| 0   |      | df -hT                                                                                                                 | /root/.bash_history |
| 0   |      | free -m                                                                                                                | /root/.bash_history |
| 0   |      | cat /proc/cpuinfo                                                                                                      | /root/.bash_history |
| 0   |      | top -c                                                                                                                 | /root/.bash_history |
| 0   |      | yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh | /root/.bash_history |
+-----+------+------------------------------------------------------------------------------------------------------------------------+---------------------+

eva2000 · Feb 5, 2017

Get cpu time info broken down by cpu thread

Code (Text):

osquery> SELECT * FROM cpu_time;
+------+--------+------+--------+-----------+---------+-----+---------+-------+-------+------------+
| core | user   | nice | system | idle      | iowait  | irq | softirq | steal | guest | guest_nice |
+------+--------+------+--------+-----------+---------+-----+---------+-------+-------+------------+
| 0    | 535615 | 8    | 116069 | 110316346 | 700     | 0   | 13      | 0     | 0     | 0          |
| 1    | 525048 | 26   | 78343  | 110324209 | 50612   | 0   | 1157    | 0     | 0     | 0          |
| 2    | 527847 | 54   | 75982  | 110377927 | 1106    | 0   | 95      | 0     | 0     | 0          |
| 3    | 524297 | 27   | 76015  | 105864535 | 4516600 | 0   | 61      | 0     | 0     | 0          |
| 4    | 627255 | 25   | 88434  | 110266570 | 716     | 0   | 212     | 0     | 0     | 0          |
| 5    | 580180 | 55   | 86234  | 110318834 | 729     | 0   | 180     | 0     | 0     | 0          |
| 6    | 647252 | 57   | 87691  | 110252589 | 373     | 0   | 12      | 0     | 0     | 0          |
| 7    | 621549 | 50   | 87461  | 105764783 | 4508975 | 0   | 365     | 0     | 0     | 0          |
+------+--------+------+--------+-----------+---------+-----+---------+-------+-------+------------+

Get memory info

Code (Text):

osquery> SELECT * FROM memory_info;
+--------------+-------------+-----------+-------------+-------------+------------+-------------+------------+------------+
| memory_total | memory_free | buffers   | cached      | swap_cached | active     | inactive    | swap_total | swap_free  |
+--------------+-------------+-----------+-------------+-------------+------------+-------------+------------+------------+
| 33698562048  | 13857415168 | 569094144 | 15366463488 | 0           | 6594027520 | 10560835584 | 2145378304 | 2145378304 |
+--------------+-------------+-----------+-------------+-------------+------------+-------------+------------+------------+

Querying installed RPM packages

Code (Text):

osquery> SELECT * FROM rpm_packages WHERE name LIKE 'MariaDB%';
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
warning: Failed to read auxiliary vector, /proc not mounted?
+----------------+---------+--------------+---------------------------------------------+-----------+------------------------------------------+--------+
| name           | version | release      | source                                      | size      | sha1                                     | arch   |
+----------------+---------+--------------+---------------------------------------------+-----------+------------------------------------------+--------+
| MariaDB-client | 10.1.21 | 1.el7.centos | MariaDB-client-10.1.21-1.el7.centos.src.rpm | 177957305 | 1dde90c09355122e7e72f3c99c3d9b3f8665a31b | x86_64 |
| MariaDB-common | 10.1.21 | 1.el7.centos | MariaDB-common-10.1.21-1.el7.centos.src.rpm | 254499    | c7a47987c9a659a4f1da6148885ac83af1ae92c7 | x86_64 |
| MariaDB-compat | 10.1.21 | 1.el7.centos | MariaDB-compat-10.1.21-1.el7.centos.src.rpm | 8142112   | 92fec3a3905603f2465ad9511c0b91d29a7bee3b | x86_64 |
| MariaDB-devel  | 10.1.21 | 1.el7.centos | MariaDB-devel-10.1.21-1.el7.centos.src.rpm  | 40041972  | 39bd63d7c10c2fb7e96ba474b8a339f656a5427e | x86_64 |
| MariaDB-server | 10.1.21 | 1.el7.centos | MariaDB-server-10.1.21-1.el7.centos.src.rpm | 454896337 | c70125a809359cf76ffd78a3730262673050b23b | x86_64 |
| MariaDB-shared | 10.1.21 | 1.el7.centos | MariaDB-shared-10.1.21-1.el7.centos.src.rpm | 6769901   | 2d276b8e54d6e8e9a7c9420ace5cfd622f158921 | x86_64 |
+----------------+---------+--------------+---------------------------------------------+-----------+------------------------------------------+--------+

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Sysadmin Facebook OSQuery

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Sysadmin Facebook OSQuery

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.