James McPhee

01/31/2018, 6:38 PM
i haven't looked too much into osquery's audit stuff to see if we can do anything advanced on system. currently we're using it as basically a relay. get the audit messages sent to centralized logging soonest. but that's because we're snapping it in to replace auditd and then go-audit. if there's more we can do with it, i'm sure it'll come up once we finish the migration


01/31/2018, 10:59 PM
I’m a bit late to this part of the discussion but, osquery and go-audit both interface with the linux kernel audit socket the same way. However, the linux kernel only supports sending audit events to a single PID, so you can’t run them both w/ kernel auditing enabled at the same time, they’ll fight over that socket. Just something to be aware of.
11:02 PM
The next release of osquery should have the audit revamp work done in https://github.com/facebook/osquery/pull/3492 (and a few other PR’s as well) overhaul a lot of the logic osquery currently does with audit events and should allow you to basically do anything.