yeah i saw that the new app execs osqueryi that s not a grea

Question

yeah i saw that the new app execs osqueryi that s not a great pattern imo

defensivedepth · Answer

Can you give me some context around why this is not a good idea

marpaia · Answer

a lot happen when you `exec` a process if you re doing it often in a loop or as apart of consistent operations of a tool it s incredibly inefficient

marpaia · Answer

the HIDS i wrote at etsy used to exec like all hell

marpaia · Answer

and it was obnoxiously resource intensive because of it

marpaia · Answer

this was the motivation for the no shelling out rule in osquery

marpaia · Answer

as well as the local socket and the `Query` method so that all of this could happen without `exec`

groob · Answer

you also have to spend extra resources validating command output and stderr for all the ways it can fail

defensivedepth · Answer

thanks that helps

defensivedepth · Answer

So for a standalone tool if I wanted to run a bunch of queries and then generate a pdf report from the results using the thrift API + osqueryd would be preferable to using osqueryi

groob · Answer

you can use thrift with osqueryi too it s the same API

marpaia · Answer

but yeah start an osquery d i and then run as many queries as you want via the thrift api