$ sudo yum update curl nss nss-util nss-sysinit nss-tools


$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery


$ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm


$ sudo yum install osquery


sudo osqueryi


osquery> .tables

osquery> .schema users
osquery> .schema processes
osquery> .schema os_version


SELECT * FROM processes;


SELECT pid, name, path FROM processes;


SELECT pid, name, uid, resident_size FROM processes ORDER BY resident_size desc limit 10;


SELECT count(pid) as total, name FROM processes group by name ORDER BY total desc limit 10;


SELECT name, path, pid FROM processes WHERE on_disk = 0;


SELECT * FROM logged_in_users;
SELECT * FROM last;


SELECT name, baseurl, enabled FROM yum_sources;


SELECT name, baseurl FROM yum_sources WHERE enabled=1;


SELECT name, version FROM rpm_packages ORDER BY name;


SELECT name, version, release, source, size FROM rpm_packages WHERE name="firefox";


SELECT * FROM listening_ports;
SELECT * FROM suid_bin;


SELECT name, path, pid FROM processes WHERE on_disk = 0;


SELECT * FROM kernel_info;
SELECT name, size, used_by, status FROM kernel_modules where status="Live" order by size;


sudo osqueryctl config-check


SELECT name FROM osquery_schedule;


$ sudo osqueryctl start


$ sudo tail -f /var/log/osquery/osqueryd.results.log