Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
Prasoon Dwivedi
09/23/2020, 11:18 AMHi, is there a way to disable
file_eventsprocess_file_eventst
theopolis
09/23/2020, 12:48 PMI’m curious if you measured the performance impact of both audit and inotify working together. Did you find it unacceptable?
a
alessandrogario
09/23/2020, 1:05 PMI have ended up opening a PR for this: https://github.com/osquery/osquery/pull/6663
I think this problem is similar to the Windows publishers that were all getting implicitly enabled as soon as events were ON.
p
Prasoon Dwivedi
09/23/2020, 1:35 PM@theopolis I don't have data available to capture the impact. We want to prevent too many file handles being opened even when we are use audit based FIM. There is a chance that ulimit is hit if too many are being monitored even while using audit based FIM.
@alessandrogario thanks for the PR
a
alessandrogario
09/23/2020, 1:59 PMIt's a draft/idea; it can be implemented in a different way. I'm asking for feedback here: https://osquery.slack.com/archives/C08VA3XQU/p1600866826003300