[marcinw]

(I am one of the developers of Doorman). Some background, from osquery's site: "osquery allows you to easily ask questions about your Linux, Windows, and OS X infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company."

I wrote Doorman as a way of utilizing osquery's TLS remoting endpoints, allowing me to dynamically configure an endpoint with custom queries, as well as run ad-hoc queries. We use osquery and Doorman at my company to gain visibility into our laptops in a manner many remote control based applications don't provide. Besides gaining remote administration functionality to osquery, we developed Doorman with a security-first attitude. We favor tools like osquery that don't expose remote command and control capabilities over tools like Chef or Puppet that concentrates super powers in the hands of a few people.

One of the stronger points of Doorman is it's builtin rules and alerting engine. It is one of the few security tools that I honestly can say I "set and forget" with respects to the rules we write. Want to know every time someone installs a new Chrome extension? All listening sockets on external interfaces, and the process name and user/group its owned by? New root certificate authorities added to the keychain? Done, all thanks to osquery introspection capabilities coupled with Doorman.