Is there any precedent for using osquery as a library/SDK directly? Looks like osquery’s build process is fairly rigidly defined to build an executable

osqueryd

(and

osqueryi

is just a symbolic link to that).

You're correct that osquery lacks any way to be built as a library. Its extensions interface is one way to build on it, and the other way is to subprocess

osqueryi

interactively. The challenge with either of these approaches is detecting and handling errors. I think most teams that want to use osquery as a library really just want its abstraction of OS APIs, but don't really need its SQL abstractions. Unfortunately there's no clean partitioning of those two things in the code. If there was, maybe all of the OS APIs could be a library used by both the osquery agent and other teams.

Thanks for the feedback. That is very useful. Abstraction over OS APIs is interesting, but not our use case, for what it’s worth. We are strictly interested in resilient mechanisms for issuing SQL queries from our agent. We will explore both the extensions interface and osqueryi subshell.

I started building basequery to solve 2 use cases: remove OS related stuff and improve extension support: https://github.com/Uptycs/basequery We switched to basequery for kubequery and cloudquery. Not sure if that is what you are looking for...