Good afternoon. I have a question around auditd and osquery. At my org they run qualys and on Linux qualys relays on auditd for its FIM capabilities. If I understand correctly osquery requires exclusive use of the audit netlink socket which is what qualys also uses for FIM. Is there a way for these two things to live happily on Linux. Yes we can use osquery for FIM and disable it in qualys but that is not the direction the powers that be choose. Instead if we use qualys FIM I fear we lose all the event tables.
08/15/2018, 9:36 PM
The audit socket will only allow one process to read from it so you cannot have both osquery and qualys. Also it's an all or nothing thing, i.e. you cannot enable process_events and disable FIM since they both depend on audit. One thing you can try is auditspd https://linux.die.net/man/8/audispd which is a multiplexer. I've never tested it though.
On a second read, audispd seems to be multiplexing events coming from auditd so not what we want 😞
So at this point I don't know of a solution for this. You would need something to multiplex events coming out of the audit socket.
08/15/2018, 10:53 PM
Thanks. I’m fighting to turn off FIM in qualys and use osquery for that since there is more to lose from osquery without it owning auditd and all you lose with qualys is FIM.