Given a process path and container id, is there a way to get the package information of that process which is running in a container using osquery ? If there is no possibility using osquery, is there any other way ?

I think you need the process pid, which you can get from the path (processes table) or container id (docker_containers table).

@packetzero I need package information corresponding to the process running in a container. I have the container ID and process path inside container.

Ah... Unfortunately, the way they did it, each table needs to implement support for it. However, as long as the worker process has the namespace set, you should be able to run any table. If you are running osqueryi, it's possible and I have a PR for it. But not for osquery as daemon.

I am using osqueryi. What does your PR contain ? Which feature ?

The fact that each table needs to implement support for it is because it's not possible otherwise to get the existing logging to work if the table runs inside a new process (because google log cannot write properly in the parent log) Moreover tables (and libraries) need to be checked for global state/threads they might use which could be in an incorrect state when forking.

https://github.com/osquery/osquery/compare/master...amalone-scwx:setns_shell_command This adds a .setns shell command . It only works inside osqueryi and setns requires single threaded process, so need to start it with extensions and events disabled.

Thank you! will check it out