> For the complete documentation index, see [llms.txt](https://book.konstantinsecurity.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.konstantinsecurity.com/readme/architect/kubernetes/runtime-security/osquery.md).

# Osquery

<https://www.osquery.io/>

## Query your devices like a database

Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

**osquery>** SELECT name, path, pid FROM processes WHERE on\_disk = 0;name = Drop\_Agentpath = /Users/jim/bin/dropagepid = 561

### Processes running without a binary on disk

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

[See Available Tables](https://www.osquery.io/schema)

## Three things you should know about osquery

### It's fast and tested

Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.

[View the Code](https://github.com/osquery/osquery)

### It runs everywhere

Windows, macOS, CentOS, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.

[Download Osquery](https://www.osquery.io/downloads)

### It's open source

Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.

[Read Community Articles](https://www.osquery.io/blog)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.konstantinsecurity.com/readme/architect/kubernetes/runtime-security/osquery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.