Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mithya
04/29/2020, 7:00 PMHello. I am trying to setup Osquery process eventing inside a container. Is it possible? (I can setup snapshot queries fine inside the container).
To give the further info, I am able to setup process eventing inside a Centos7 VM after disabling auditd. In the VM, I could see osquery taking over auditd rules (
auditctl -l--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--disable_audit=falseosquery_1 | I0429 19:00:06.721541 16 auditdnetlink.cpp:623] Failed to set the netlink owners
sundsta
04/29/2020, 7:29 PMNot really. The events are provided by the auditing framework in the linux kernel, which is shared between all containers
If you let the container run as privileged and the uid of osqueryd inside the container is 0, it should work but then you’re monitoring the whole VM, not just the container (which I think is your goal)
m
Mithya
04/29/2020, 7:32 PMThanks for the response! I am not super knowledgeble with containers but seems that I should be able to get eventing process for container from host itself.
s
sundsta
04/29/2020, 7:41 PMYes, you can
👍 2
Be careful with your analytics of the data though, different containers have different PID namespaces so processes in different containers can have the same PID even if they have nothing to do with each other