Hello I am trying to setup Osquery process eventing inside a osquery #general

Hello. I am trying to setup Osquery process eventi...

Mithya

04/29/2020, 7:00 PM

Hello. I am trying to setup Osquery process eventing inside a container. Is it possible? (I can setup snapshot queries fine inside the container). To give the further info, I am able to setup process eventing inside a Centos7 VM after disabling auditd. In the VM, I could see osquery taking over auditd rules (

auditctl -l

shows me rules added by osquery but in the container, this doesn't work.) The same set of flags don't work when I test it out inside a container. These are the flags I am launching osqueryd with

Copy code

--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--disable_audit=false

The error that I am getting is

osquery_1   | I0429 19:00:06.721541    16 auditdnetlink.cpp:623] Failed to set the netlink owner

sundsta

04/29/2020, 7:29 PM

Not really. The events are provided by the auditing framework in the linux kernel, which is shared between all containers

sundsta

04/29/2020, 7:30 PM

If you let the container run as privileged and the uid of osqueryd inside the container is 0, it should work but then you’re monitoring the whole VM, not just the container (which I think is your goal)

Mithya

04/29/2020, 7:32 PM

Thanks for the response! I am not super knowledgeble with containers but seems that I should be able to get eventing process for container from host itself.

sundsta

04/29/2020, 7:41 PM

Yes, you can

👍 2

sundsta

04/29/2020, 7:42 PM

Be careful with your analytics of the data though, different containers have different PID namespaces so processes in different containers can have the same PID even if they have nothing to do with each other

4 Views

Open in Slack

Previous Next