Minimal osquery-inspired SQL shell in Rust, backed by Apache DataFusion.
Current scope:
- REPL mode (
cargo run) - piped SQL mode (
echo "select * from system_info;" | cargo run --quiet) - local core system tables:
system_info,os_version,platform_info,kernel_info,uptimecpu_info,cpuid,memory_info,memory_devices
- snapshot runtime tables:
processesprocess_envsprocess_open_filesprocess_open_socketsprocess_memory_mapprocess_namespaceslistening_ports
- local networking metadata tables:
interface_details,interface_addresses,interface_ipv6routes,arp_cache,dns_resolversetc_hosts,etc_protocols,etc_services
- cloud metadata tables:
ec2_instance_metadata,ec2_instance_tagsazure_instance_metadata,azure_instance_tagsycloud_instance_metadata
- local identity/security tables:
users,groups,user_groups,logged_in_usersuser_ssh_keys,ssh_configs,authorized_keys,known_hostssudoers,shell_history
All tables are snapshot-oriented and built from live system state when queried.
Runtime snapshot table implementations are organized one table per file under src/runtime_tables/.
Network table implementations are organized one table per file under src/network_tables/.
Cloud metadata tables are opt-in and only query provider endpoints when OSSQL_ENABLE_CLOUD_METADATA=1.
- Linux:
interface_details,interface_addresses,interface_ipv6,routes,arp_cache,dns_resolversare populated from/sys,/proc,ip, and/etc/*sources.- Unavailable values are emitted as nulls (or osquery-style numeric defaults where expected, such as
last_change = -1forinterface_details).
- macOS:
interface_details,interface_addresses,interface_ipv6,routes,arp_cacheuse native command/system outputs when available.- Fields unavailable from native output are returned as null/default sentinel values to keep osquery-like schema compatibility.
- Other OSes:
- Tables are registered with stable schemas; unsupported row collectors return empty snapshots.
cargo runossql> select * from system_info;
Or with piped input:
echo "select * from cpu_info;" | cargo run --quiet