Looking for reasons to use osquery for FIM/auditing when auditd is installed and running on all the servers I maintain? Any thoughts?
c
clong
05/29/2018, 6:53 PM
osquery in fim/audit mode is effectively a 1:1 replacement for auditd — you can’t run both at the same time because they both rely upon the linux audit system
clong
05/29/2018, 6:54 PM
i’ve found the output log format from osquery to be much more human readable than what auditd spits out and writing SQL is much easier than writing audit rules, but YMMV