osquery-graphql

Explore what's going on in your system with the power of GraphQL, powered by OSQuery. It's great if, like me, you can never remember the names or parameters of all those Unix utilities like netstat, lsof, or fuser...

E.g. to see what process is listening on a port and what files it has open:

listening_port(port: 8082) {
  process {
    pid
    cmdline
    open_files {
      path
    }
  }
}

What port a process is listening on:

processes(cmdline: "node myapp.js") {
  listening_ports {
    port
  }
}

Which processes have a file open: (bug: not all file attributes are currently returned)

file(path: '/foo.txt') {
  opened_by_processes {
    pid
  }
}

Install

brew install osquery
npm install
npm run start

& navigate to http://localhost:3100/qraphql for the GraphiQL console, which lets you explore the schema and try out queries.

Project status

Currently supports only a small subset of what OSQuery provides, and some queries crap out, probably due to shelling out to osquery a zillion times. This can probably be fixed by using facebook/dataloader to coalesce osquery queries.

Another idea for future work (once you can reliably query around to basic system objects): GraphQL subscriptions providing realtime updates, powered by DTrace or STrace. This could power an interface in which file objects pulse when they are being written to, socket objects pulse when they are sending or receiving, processes pulse when they are using CPU, etc.