Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Is anyone aware of a good article on the various osquery flags needed to do process and file monitoring on linux and mac? There are a few in play, and with the addition of the BPF tables I'd love to know best practices -- do we still need register for auditd, or do the BPF tables not yet cover things like `file_events` etc ?

BPF currently handles socket and process events. The osquery docs for <https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#file-integrity-monitoring-with-osquery|file monitoring> and <https://osquery.readthedocs.io/en/latest/deployment/process-auditing/|process auditing> are actually fairly beefy... I think that's why it's difficult to track down detailed tutorials

Right - so it reads to be like if you want to do file monitoring, you need to use the audit framework. However both audit and BPF support process auditing - is there a preference between the two for performance or other reasons ?

I'd hope that everything migrates to BPF one day to be honest, since there can be only one service registered to the audit framework

Ping on this thread - anyone have a good guide? Should I experiment and write one ?