As a technical writer diving deeper into security and AI tool, I want to document my journey through these spaces for others. And hopefully provide some amusing anecdotes along the way.

For this post, I’m exploring OSQuery on macOS: how it works, how to use it, and where it fits in as a lightweight security tool for local system inspection.

What is OSQuery is and how it helps

Osquery is an open-source framework that works on OS X (macOS), Windows and Linux.

It presents your operating system as a high-performance relational database, letting you write SQL queries to explore system-level data. With OSQuery, you can query everything from running processes to open network ports, loaded kernel modules, file hashes, and more.

Installation

To get started on your Mac, open your terminal and run:

brew install osquery

Getting Started

To launch OSQuery's interactive shell, open your terminal and run:

osqueryi

Now you can start writing SQL-style prompts and begin querying your operating system like a database.

Image shows the Command line interface open to start queries in osquery

Query 1 – Who’s logged in?

Running this command will show you who's logged in to your machine. You can spot active users or suspicious sessions.

SELECT * FROM logged_in_users;

Query 2 – What’s listening on your network? 

SELECT pid, name, port, address FROM listening_ports NATURAL JOIN processes;

This command shows which processes are listening on which ports, and what network addresses they’re bound to.

Run this to detect unnecessary exposure or unexpected services.

Query 3 – Suspicious file changes 

SELECT path, mtime FROM file WHERE directory='/Applications' AND path LIKE '%.app%';

This shows when each .app bundle was last modified. It’s a simple way to spot recent installs, updates, or unexpected tampering.

Query 4 – List Active Processes with Network Connections 

SELECT DISTINCT processes.name, listening_ports.port, listening_ports.address 
FROM processes 
JOIN listening_ports 
ON processes.pid = listening_ports.pid;

Run this to identify unnecessary exposure or check if any unknown services are running.

Final Thoughts

These few commands show the possibilities with some low-level monitoring of your system. In reality, many of us don't absolutely need to use them. But the having the ability to query your machine using SQL is highly satisfying and pragmatic. If you had to do an audit, the tabular data would definitely come in handy. And a little bit of security knowledge can go along way to protect yourself and your IP from risk.