Malware Analysis

Ask questions about your Linux and OSX infrastructure

Kolide is an agentless osquery web interface and remote api server. Kolide uses the osquery remote apis to do ad-hoc distributed queries, osqueryd configurations and the collection and processing of scheduled queries (packs). Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple.

osquery allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company.

Download from Github.

git clone

To build Kolide from the source code yourself you need to have a working Go environment with version 1.5 or greater installed.

Get the code into your $GOPATH



git clone

Install build/dev dependencies.

make deps

Start postgres and redis

The easiest way to start writing code is to use docker/docker-compose.

make up will run docker-compose and bootstrap the deps
make down will spin down and remove all deps


usage: kolide --config=CONFIG []
osquery command and control
      --help                     Show context-sensitive help (also try --help-long and --help-man).
      --debug                    Enable debug mode.
  -q, --quiet                    Remove all output logging
      --dev                      enable dev mode (serve assets from disk)
  -c, --config=CONFIG            configuration file
      --production               enable production mode
      --address=:8000            web server network address
      --enroll-secret=secret     osquery enroll secret
      --db-address=:5432         database network address
      --db-username=kolide       database username
      --db-password=secret       database password
      --db-database=kolide       database database
      --redis-address=:6379      redis network address
      --redis-protocol="tcp"     redis network protocol
      --redis-size=10            redis maximum number of idle connections
      --redis-password=secret    redis password
      --redis-secret-key=secret  redis secret key
      --version                  Show application version.