Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello!
Found interesting query from security perspective <https://github.com/Cisco-Talos/osquery_queries/blob/master/linux_forensics/linux_forensics_processes_with_deleted_binary.yaml>, but also found some trouble with detecting Docker related process.
It looks like this table can detect process details, but can not determine if process started from container so there is no source binary on direct host machine. It gives lots of false positive results.
Is it possible to solve this problem some way?

I think I found some kind of bypass using query:
`SELECT * FROM processes WHERE on_disk=0 AND pid NOT IN (SELECT pid FROM docker_container_processes where id=(SELECT id FROM docker_containers))`

Using it I can find processes without disk binary on host machine via exclude of processes inside containers.
Bad part of this is the lack of proper detecting processes without binary inside containers.
There is no `on_disk` parameter in `docker_container_processes` table.
Su currently this detection can work properly only on host machine.

Huge workaround, but you could try to use the `file` table + `pid_with_namespace`

<@U6EFFT5FG> hi! could you please give some example for this?

using WHERE pid_with_namespace = PID allows you to join the mount namespace of another process

this would allow you to test whether the file actually exists in the mount namespace of the container

<@U6EFFT5FG> thank you! Sounds like cool idea, but I don’t see now the way to find file related to containered process using `docker_container_processes` table, there is no such column.

the idea is to rebuild the on_disk column manually

using the file table + pid_with_namespace

Do you mean an attempt to find file with with same name as for the process name? Is ut correct?

<@U6EFFT5FG> thank you for details! I’ll try it!