I can't really find it on the website, but does os...
# generalz
Zach Zeid
10/06/2022, 2:28 PMI can't really find it on the website, but does osquery support eBPF out of the box, or does it need to be built from source to support it?
m
Mike Myers
10/06/2022, 7:07 PMWhen provided the right configuration flags, it has BPF-powered tables that have been there for a few versions now (but continue to be improved)
Mike Myers
10/06/2022, 7:08 PMYou do not need to rebuild it from source. The BPF bytecode is generated at runtime before loading, and that was the difficult part (no dependence on toolchains like
bccMike Myers
10/06/2022, 7:08 PMIn the wiki, there is some information about which tables use BPF and what the Linux kernel requirements are https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
s
seph
10/07/2022, 2:38 PM
I think it depends what you mean…
I think that out of the box, osquery uses bpf for some linux tables. That will just work.
But I don’t think there’s support for making your own bpf tables, ATC style