Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Process table does not log scripts (like the one you described). However, i believe that the curl process should appear. If you run a query for the processes table right when the curl is running, it should be showing, but it might be hard to get it in the exact moment in time.

yeah that is what i was thinking. you are probably creating a race condition. I bet you will see the curl process if you download a big file (that takes more time) using curl

Auditd (kernel hook) should see the processes - while and test are (most likely) internal to your shell 

Also, I'm pretty sure audit won't directly catch echo &gt; /dev/tcp/ip/port stuff if you're trying to catch that type of behavior 