Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
zwass
10/06/2021, 6:18 PMAny osquery users also using (or considering) Falco?
➕ 4
(Asking because I'm wondering if it would be useful to build an integration with osquery and/or Fleet)
z
Zach Zeid
10/06/2021, 7:36 PMI am struggling to think about the use case here, would that mean that Fleet would be acting as the ingestion point, but having no control over pushing down rules, etc.?
s
seph
10/06/2021, 7:53 PMIt seems like an interesting question. As I understand it, falco gathers something like audit/kprobe/bpf events, and then does analysis on them.
Would a hypothetical perfect-world integration look like:
1. osquery has access to the falco alert stream? This feels weird and out of scope
2. osquery has access to the falco sensor data? This feels better approached via bpf tables, or a kprobe table
3. falco has access to osquery data? Feels akin to streamalert
I really want there to be an interesting overlap, but I haven’t come up with it yet.
z
zwass
10/06/2021, 8:38 PMInitially I think it would be more like #1 -- osquery has access to other streams such as syslog, ASL, windows eventlog -- I wonder if it would be useful for osquery to be able to ship the Falco alerts into the same logging pipeline that folks already have set up. Additionally, if osquery is running on the container host, there are other tables that could have value.
#2 and #3 totally agreed it doesn't make much sense.
If I were to approach such a thing initially it might be an osquery extension in Go that just makes the Falco events available. I could also theoretically see Fleet being able to manage rules and that kinda thing, but it would be further down the line after proving out the idea that it's useful for logs generated by Falco to flow through that same logging pipeline.
w
wkleinhenz
10/06/2021, 11:08 PMive been thinking about looking at falco most likely to replace auditd but i havent really had time to dig into it
j
Jams
10/06/2021, 11:31 PM#1 Would this option require deploying both osquery and Falco inside k8s pods?
z
zwass
10/07/2021, 12:33 AMIt would not need to run inside each pod. Both osquery and Falco would run on the host (or within a single container on the host).
s
seph
10/07/2021, 12:46 AMMore data in structured format is interesting.
Mingling events with static data is very CEP. Not sure what I want to do with this observation.