-
Notifications
You must be signed in to change notification settings - Fork 59
Building osquery
The instructions provided below specify the steps to build osquery version 5.23.0 on Linux on IBM Z for the following distributions:
- RHEL (8.10, 9.6, 9.7, 10.0, 10.1)
- Ubuntu (22.04, 24.04, 25.10)
General Notes:
- When following the steps below please use a standard permission user unless otherwise specified.
- A directory
/<source_root>/will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it. - Docker is required for building the osquery-toolchain.
Note: osquery (5.23.0) was verified with docker version 29.4.1 at the time of creation of these instructions.
If you want to build osquery using manual steps, go to STEP 2.
Use the following commands to build osquery using the build script. Please make sure wget is installed.
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/osquery/5.23.0/build_osquery.sh
# Build osquery
bash build_osquery.sh [Provide -t option for executing build with tests]If the build and tests complete successfully, go to STEP 7. In case of error, check the <source_root>/logs/ directory for more details or go to STEP 2 to follow the manual build steps.
export SOURCE_ROOT=/<source_root>/
export TOOLCHAIN_BUILD=$SOURCE_ROOT/toolchain-build
export PATCH_URL="https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/osquery/5.23.0/patch"-
RHEL (8.10, 9.6, 9.7, 10.0, 10.1)
sudo yum install -y git python3 python3-pip python3-setuptools python3-psutil python3-six python3-wheel python3-devel \ gcc-c++ gcc automake autoconf gettext bison flex unzip help2man libtool ncurses-devel make ninja-build curl \ patch texinfo gawk wget xz bzip2 cmake pkgconfig ca-certificates file perl rpm binutils
-
Ubuntu (22.04, 24.04, 25.10)
sudo apt-get update sudo DEBIAN_FRONTEND=noninteractive apt-get install -y git python3 python3-pip python3-setuptools python3-psutil \ python3-six python3-wheel g++ gcc automake autoconf gettext bison flex unzip help2man libtool-bin libncurses-dev \ make ninja-build patch texinfo gawk wget xz-utils bzip2 cmake pkg-config ca-certificates file perl rpm binutils curl
-
For Ubuntu 24.04 and 25.10:
python3 -m pip install --user --break-system-packages timeout_decorator thrift==0.11.0 osquery pexpect==3.3 docker
-
For RHEL and Ubuntu 22.04:
python3 -m pip install --user timeout_decorator thrift==0.11.0 osquery pexpect==3.3 docker
- The osquery-toolchain is built inside a Docker container to ensure a consistent build environment.
cd $SOURCE_ROOT
docker run --privileged=true -i --name osquery-toolchain-build ubuntu:22.04 bash -c \
"apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y sudo vim git python3 python3-pip python3-setuptools python3-psutil \
python3-six python3-wheel g++ gcc automake autoconf gettext bison flex unzip help2man libtool-bin libncurses-dev \
make ninja-build patch texinfo gawk wget xz-utils bzip2 cmake pkg-config ca-certificates file perl rpm binutils curl; \
useradd -m test || true; \
usermod -aG sudo test; \
chown -R test:test /home/test; \
cd /home/test; \
git clone -b 1.3.0 https://github.com/osquery/osquery-toolchain.git; \
cd osquery-toolchain;
curl -sSL $PATCH_URL/toolchain_ubuntu.patch | git apply -
bash -n build.sh;
sudo -u test bash -c 'cd /home/test/osquery-toolchain; ./build.sh /home/test/toolchain-build;'; \
cd /home/test/toolchain-build/final; \
mv sysroot osquery-toolchain; \
tar -pcvJf osquery-toolchain-1.3.0.tar.xz osquery-toolchain;
"cd $SOURCE_ROOT
docker cp osquery-toolchain-build:/home/test/toolchain-build/final/osquery-toolchain-1.3.0.tar.xz .
mkdir -p $TOOLCHAIN_BUILD
tar -xJvf osquery-toolchain-1.3.0.tar.xz -C $TOOLCHAIN_BUILDexport OSQUERY_TOOLCHAIN_SYSROOT="$TOOLCHAIN_BUILD/osquery-toolchain"
$OSQUERY_TOOLCHAIN_SYSROOT/usr/bin/clang --versionThe output should display the clang version information from the toolchain.
cd $SOURCE_ROOT
git clone -b 5.23.0 https://github.com/osquery/osquery.git
cd osquery
git submodule update --init --recursive-
Apply all required patches for osquery:
curl -sSL ${PATCH_URL}/osquery_generated.patch | git apply - curl -sSL ${PATCH_URL}/osquery_main.patch | git apply - curl -sSL ${PATCH_URL}/ebpf_common.patch | git apply - curl -sSL ${PATCH_URL}/ebpfpub.patch | git apply - curl -sSL ${PATCH_URL}/rocksdb.patch | git apply - curl -sSL ${PATCH_URL}/s2n.patch | git apply - curl -sSL ${PATCH_URL}/test_cases.patch | git apply -
-
RHEL only:
curl -sSL ${PATCH_URL}/linux_test_case_rhel.patch | git apply -
Create the build directory and compile osquery:
mkdir -p build
cd build
cmake -DOSQUERY_TOOLCHAIN_SYSROOT="$OSQUERY_TOOLCHAIN_SYSROOT" -DOSQUERY_BUILD_TESTS=ON ..
cmake --build . -j1cd $SOURCE_ROOT/osquery/build
ctest --output-on-failure -j1Note: The test case tools_tests_testfschangestable requires Docker to be installed and running.
cd $SOURCE_ROOT/osquery/build
./osquery/osqueryi --versionExpected output:
osqueryi version 5.23.0cd $SOURCE_ROOT/osquery/build
./osquery/osqueryiRun these SQL queries in osquery shell:
-- Get OS version
SELECT * FROM os_version;
-- List running processes
SELECT pid, name, path FROM processes LIMIT 10;
-- Check system uptime
SELECT * FROM uptime;The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue if you have any questions or feedback.