In hrbrmstr/osqueryr: 'osquery' 'DBI' and 'dbplyr' Interface for R
osqueryr
'osquery' 'DBI' and 'dbplyr' Interface for R
WIP WIP WIP
But, so far it seems to work pretty well.
NOTE: You need to install osquery for this to work.
Read https://osquery.readthedocs.io/en/stable/ before proceeding.
HEY!
One of the super cool things abt osquery is that it works on every major platform
so you can use this package to normalize OS-level queries for anything
that you may have wanted to do before but didn't feel like doing b/c you had to
handle so many OS foibles.
Description
'osquery' https://osquery.readthedocs.io/en/stable/ is an operating
system instrumentation framework for 'Windows', 'OS X (macOS)', 'Linux', and
'FreeBSD'. The tools make low-level operating system analytics and monitoring
both performant and intuitive. A full 'dbplyr'-compliant 'DBI'-driver
interface is provided facilitating intuitive and tidy analytic idioms.
What's Inside The Tin
Pretty much what you'd expect for DBI and dbplyr plus:
The following functions are implemented:
osq_fs_logs: List all the logs on our local systemosq_expose_tables: Return all (or selected) local or remote osquery tables as a named list of dbplyr tibblesosq_load_tables: Return all (or selected) local or remote osquery tables as a named list of dbplyr tibbles
TODO (y'all are encouraged to contribute)
finish DBI driver- smart(er) type conversion
- tests
- vignette(s)
Installation
devtools::install_git("git://gitlab.com/hrbrmstr/osqueryr")
devtools::install_git("git://github.com/hrbrmstr/osqueryr")
options(width=120)
Usage
library(osqueryr)
library(tidyverse)
library(knitr)
# current verison
packageVersion("osqueryr")
osquery info
osqdb <- src_dbi(osqueryr::dbConnect(Osquery()))
glimpse(tbl(osqdb, "osquery_info"))
This can work with remote hosts, too:
con <- osqueryr::dbConnect(Osquery())
con
local_db <- src_dbi(con)
local_db
osq1_con <- osqueryr::dbConnect(Osquery(), host = "hrbrmstr@osq1")
osq1_con
osq1_db <- src_dbi(osq1_con)
osq1_db
osq2_con <- osqueryr::dbConnect(Osquery(), host = "bob@osq2", osquery_remote_path = "/usr/bin")
osq2_con
osq2_db <- src_dbi(osq2_con)
osq2_db
available tables
osqdb
sample table
tbl(osqdb, "dns_resolvers")
check out processes
procs <- tbl(osqdb, "processes")
filter(procs, cmdline != "") %>%
select(cmdline, total_size)
filter(procs, name %like% '%fire%') %>%
glimpse()
see if any processes have no corresponding disk image
filter(procs, on_disk == 0) %>%
select(name, path, pid)
(gosh I hope ^^ was empty)
top 10 largest processes by resident memory size
arrange(procs, desc(resident_size)) %>%
select(pid, name, uid, resident_size)
process count for the top 10 most active processes
count(procs, name, sort=TRUE)
get all processes listening on a port (join example)
listen <- tbl(osqdb, "listening_ports")
left_join(procs, listen, by="pid") %>%
filter(port != "") %>%
distinct(name, port, address, pid)
get file info
files <- tbl(osqdb, "file")
filter(files, path == "/etc/hosts") %>%
select(filename, size)
users
tbl(osqdb, "users")
tbl(osqdb, "logged_in_users")
groups
tbl(osqdb, "groups")
homebrew!
tbl(osqdb, "homebrew_packages")
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
hrbrmstr/osqueryr documentation built on May 31, 2019, 12:10 p.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
osqueryr
'osquery' 'DBI' and 'dbplyr' Interface for R
WIP WIP WIP
But, so far it seems to work pretty well.
NOTE: You need to install osquery for this to work.
Read https://osquery.readthedocs.io/en/stable/ before proceeding.
HEY!
One of the super cool things abt osquery is that it works on every major platform
so you can use this package to normalize OS-level queries for anything
that you may have wanted to do before but didn't feel like doing b/c you had to
handle so many OS foibles.
Description
'osquery' https://osquery.readthedocs.io/en/stable/ is an operating system instrumentation framework for 'Windows', 'OS X (macOS)', 'Linux', and 'FreeBSD'. The tools make low-level operating system analytics and monitoring both performant and intuitive. A full 'dbplyr'-compliant 'DBI'-driver interface is provided facilitating intuitive and tidy analytic idioms.
What's Inside The Tin
Pretty much what you'd expect for DBI and dbplyr plus:
The following functions are implemented:
osq_fs_logs: List all the logs on our local systemosq_expose_tables: Return all (or selected) local or remote osquery tables as a named list ofdbplyrtibblesosq_load_tables: Return all (or selected) local or remote osquery tables as a named list ofdbplyrtibbles
TODO (y'all are encouraged to contribute)
finish DBI driver- smart(er) type conversion
- tests
- vignette(s)
Installation
devtools::install_git("git://gitlab.com/hrbrmstr/osqueryr") devtools::install_git("git://github.com/hrbrmstr/osqueryr")
options(width=120)
Usage
library(osqueryr) library(tidyverse) library(knitr) # current verison packageVersion("osqueryr")
osquery info
osqdb <- src_dbi(osqueryr::dbConnect(Osquery())) glimpse(tbl(osqdb, "osquery_info"))
This can work with remote hosts, too:
con <- osqueryr::dbConnect(Osquery()) con local_db <- src_dbi(con) local_db osq1_con <- osqueryr::dbConnect(Osquery(), host = "hrbrmstr@osq1") osq1_con osq1_db <- src_dbi(osq1_con) osq1_db osq2_con <- osqueryr::dbConnect(Osquery(), host = "bob@osq2", osquery_remote_path = "/usr/bin") osq2_con osq2_db <- src_dbi(osq2_con) osq2_db
available tables
osqdb
sample table
tbl(osqdb, "dns_resolvers")
check out processes
procs <- tbl(osqdb, "processes") filter(procs, cmdline != "") %>% select(cmdline, total_size) filter(procs, name %like% '%fire%') %>% glimpse()
see if any processes have no corresponding disk image
filter(procs, on_disk == 0) %>% select(name, path, pid)
(gosh I hope ^^ was empty)
top 10 largest processes by resident memory size
arrange(procs, desc(resident_size)) %>% select(pid, name, uid, resident_size)
process count for the top 10 most active processes
count(procs, name, sort=TRUE)
get all processes listening on a port (join example)
listen <- tbl(osqdb, "listening_ports") left_join(procs, listen, by="pid") %>% filter(port != "") %>% distinct(name, port, address, pid)
get file info
files <- tbl(osqdb, "file") filter(files, path == "/etc/hosts") %>% select(filename, size)
users
tbl(osqdb, "users") tbl(osqdb, "logged_in_users")
groups
tbl(osqdb, "groups")
homebrew!
tbl(osqdb, "homebrew_packages")
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.