Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

yeah, i saw that the new app execs osqueryi. that’s not a great pattern imo.

Can you give me some context around why this is not a good idea?

a lot happen when you `exec` a process… if you’re doing it often, in a loop, or as apart of consistent operations of a tool, it’s incredibly inefficient

the HIDS i wrote at etsy used to exec like all hell

and it was obnoxiously resource intensive because of it

this was the motivation for the “no shelling out” rule in osquery

as well as the local socket and the `Query` method so that all of this could happen without `exec`

you also have to spend extra resources validating command output and stderr for all the ways it can fail

So for a standalone tool, if I wanted to run a bunch of queries and then generate a pdf report from the results -- using the thrift API + osqueryd would be preferable to using osqueryi?

you can use thrift with osqueryi too. it’s the same API

but yeah, start an osquery{d/i} and then run as many queries as you want via the thrift api