Is anyone aware of a good article on the various osquery flags needed to do process and file monitoring on linux and mac? There are a few in play, and with the addition of the BPF tables I'd love to know best practices -- do we still need register for auditd, or do the BPF tables not yet cover things like
08/22/2022, 4:59 PM
BPF currently handles socket and process events. The osquery docs for file monitoring and process auditing are actually fairly beefy... I think that's why it's difficult to track down detailed tutorials
08/22/2022, 5:01 PM
Right - so it reads to be like if you want to do file monitoring, you need to use the audit framework. However both audit and BPF support process auditing - is there a preference between the two for performance or other reasons ?
I'd hope that everything migrates to BPF one day to be honest, since there can be only one service registered to the audit framework
Ping on this thread - anyone have a good guide? Should I experiment and write one ?