Hello! Found interesting query from security perspective https://github.com/Cisco-Talos/osquery_queries/blob/master/linux_forensics/linux_forensics_processes_with_deleted_binary.yaml, but also found some trouble with detecting Docker related process. It looks like this table can detect process details, but can not determine if process started from container so there is no source binary on direct host machine. It gives lots of false positive results. Is it possible to solve this problem some way?

Huge workaround, but you could try to use the

file

table +

pid_with_namespace

@alessandrogario hi! could you please give some example for this?

using WHERE pid_with_namespace = PID allows you to join the mount namespace of another process

@alessandrogario thank you! Sounds like cool idea, but I don’t see now the way to find file related to containered process using

docker_container_processes

table, there is no such column.

the idea is to rebuild the on_disk column manually

Do you mean an attempt to find file with with same name as for the process name? Is ut correct?

Yes, that is correct

@alessandrogario thank you for details! I’ll try it!