Hi guys,
I'm working on OCI image with osquery ins...
# generald
Denis
12/17/2024, 11:24 AMHi guys,
I'm working on OCI image with osquery inside for k8s. We wanna collect network and process activities from host OS(k8s worker node) over netlink socket(getting events from kernel audit) as a daemonset which will initiate by kubelet/kube-scheduler.
For testing I gave additional linux capabilities (CAP_AUDIT_READ and CAP_AUDIT_CONTROL) for the container, but event tables are empty.
And if I check active netlink sockets(ss -f netlink) on host OS, I see that osquery didn't subscribe to kernel audit.
Osquery's logs are empty, syslog are empty too.
Anybody meet or work with this?
Thanks guys.
Denis
12/17/2024, 11:26 AMIn bare metal(on host OS) cases all are working fine.
I see that osuqery subscribe on the kernel audit over netlink. And I'm getting events...
Denis
12/17/2024, 1:09 PMohh, in --verbose mode I've got:
Copy code
auditdnetlink.cpp:686] Failed to set the netlink ownerf
FG
12/17/2024, 3:54 PMthis mentions the same error, but in centos, may be useful to at least validate your flags: https://fleetdm.com/guides/querying-process-file-events-table-on-centos-7
5 Views