Introducing Orbit for osquery

Orbit is an osquery runtime and auto-updater. Orbit eases the deployment of osquery connected with a Fleet server, and is a (near) drop-in replacement for osquery in a variety of deployment scenarios — with or without the use of Fleet.

For documentation on Orbit beta, check out:

In a production environment, it’s not always trivial to deploy software to your servers laptops, and workstations. The obvious benefit of Orbit is that it only needs to be deployed once on your endpoint device, and then allows you to stay up to date with the latest version (configurable by you) by using Orbit’s update channels (more on this below).

Orbit is open-source, MIT licensed software. We believe open-source is the future of endpoint instrumentation.

Orbit uses the concept of “update channels” to determine the version of Orbit and osquery to run. This concept is modeled from the common versioning convention for Docker containers, and gives users fine-grained control of the updates that are pushed out to their client.

| Channel | Versions |
| 4 | 4.x.x |
| 4.6 | 4.6.x |
| 4.6.0 | 4.6.0 |

There’s also a couple of special channel names that can be used; stable and edge. If you want to always be running the most recent stable version of osquery, stable allows users to set-it and forget-it, and lets Orbit push the latest version that Fleet deems stable. edge on the other hand provides the newest releases for beta testing.

So what’s in store for Orbit? We’ll start with addressing some longstanding pain points for the osquery community. Orbit, together with the Fleet server will be able to centrally manage osquery startup flags and configure different osquery versions without deploying new packages.

Looking further ahead, we see Orbit as a platform for further extending the capabilities of Fleet and osquery through deployment of osquery extensions, Fleet Desktop, and response capabilities.

