Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
z
Zach Zeid
04/13/2020, 3:00 PMAnyone use osquery in k8s at all?
s
seph
04/13/2020, 3:09 PMI have. Others have.
z
Zach Zeid
04/13/2020, 3:25 PMtryna understand a gap analysis between falco and osquery
s
sundsta
04/13/2020, 3:34 PMFalco is syscalls only. That misses a lot of what osquery offers
z
Zach Zeid
04/13/2020, 4:47 PMAre people using kube-query for osquery in k8s?
j
Jams
04/13/2020, 5:03 PMKube-query?
z
Zach Zeid
04/13/2020, 5:04 PMs
seph
04/13/2020, 5:05 PMa lot is going to depend on what you’re doing, and what levels of beta and code you can commit to.
Using osquery to pull info about the k8s deployment, is different than using it to pull information about a running container is different tha pulling into about another container.
kube-query looks like an extension to pull metadata about the cluster. That’s kinda neat.
I’m pretty sure there are some docker tables in osquery, and there’s some ongoing work to improve visibility into other containers
I feel like I’ve seen another k8s extension, but I don’t keep those links
z
Zach Zeid
04/13/2020, 5:17 PMIm asking because we have a team looking at Falco and I'm trying to understand what key differences there are between osquery and falco
s
seph
04/13/2020, 5:20 PMFalco being syscalls is a big thing.
z
Zach Zeid
04/13/2020, 5:20 PMas a positive?
s
seph
04/13/2020, 5:21 PMJust big difference.
Depends what you're trying to monitor.
z
Zach Zeid
04/13/2020, 5:29 PMdoes osquery not rely on syscalls? I thought it always used eBPF
s
seph
04/13/2020, 5:33 PMosquery presents a sql interface to various OS and application APIs. Those conversations have been written by various people. See https://osquery.io/schema/4.2.0/ for the list of information.
There is some work to create more generalized BPF tooling.
z
Zach Zeid
04/13/2020, 5:39 PMI think I understand. My assumption was that osquery did (or at least could be configured) to use eBPF. That doesn't appear to be the case.
s
seph
04/13/2020, 5:46 PMIt’s pretty beta. I can’t really speak to it
z
Zach Zeid
04/13/2020, 5:47 PMGot it. Thank you for taking the time to answer my questions. This was incredibly helpful.
b
burdz
04/13/2020, 10:18 PMWe do not run any k8s specific tables (although have looked at kube-query along with extending/writing our own impl) however we do run osquery all of our clusters as a Daemonsets (with some mounts/perms that gives it more visibility into the node is it monitoring).
s
seph
04/13/2020, 10:34 PMYou may be interested in the upcoming container tables
m
Mike
04/14/2020, 2:45 AM@burdz interesting to know that we can install osquery via Daemonset, can you please share the yaml file for it
s
SK
04/14/2020, 7:15 AM@burdz Also interested to know about your Daemonset implementation, we already have some basic k8s visibility.
b
burdz
04/14/2020, 7:14 PMcertainly! let me clean up the yaml (littered with our helm tpls) and I can share it. I can also talk about some of the ideas we were thinking about for extentions to gain more visibility into our clusters. early days in our journey currently but definitely looking forward expanding our usage of it to monitoring our kube environments
s
seph
04/14/2020, 7:17 PMhttps://github.com/osquery/osquery/pull/6209 and associated are the things y’all may be interested in
😛artyparrot: 1
b
burdz
05/02/2020, 3:54 AMapologizes my family had a close call with the global pandemic and I am just getting back to work now. I will share our configuration soon.