i haven't looked too much into osquery's audit stuff to see if we can do anything advanced on system. currently we're using it as basically a relay. get the audit messages sent to centralized logging soonest. but that's because we're snapping it in to replace auditd and then go-audit. if there's more we can do with it, i'm sure it'll come up once we finish the migration
01/31/2018, 10:59 PM
I’m a bit late to this part of the discussion but, osquery and go-audit both interface with the linux kernel audit socket the same way. However, the linux kernel only supports sending audit events to a single PID, so you can’t run them both w/ kernel auditing enabled at the same time, they’ll fight over that socket. Just something to be aware of.
The next release of osquery should have the audit revamp work done in https://github.com/facebook/osquery/pull/3492 (and a few other PR’s as well) overhaul a lot of the logic osquery currently does with audit events and should allow you to basically do anything.