Before I open up a bug w/ osquery upstream, is the...
# kolide
Before I open up a bug w/ osquery upstream, is there anything in Kolide's privacy-aware confiuration that might prevent
from being populated? I have a query to find short-lived setuid overflow attempts but the field is always NULL. I suspect it's a bug relating to env whitelisting, but wanted to save the osquery maintainers some hassle if it was a known Kolide-specific issue.
This might be my answer on Linux: I wonder how that came to be 😞 On macOS, I'm not sure what's going on -- instead of 0, it's always NULL.
I don’t think we do anything around that
I would bet it’s used on some platforms, but not others. And/or that it has performance implications. There’s been a fair bit of iteration around this stuff.
On linux, the bpf_process_events may be a better bet.
Thanks, I didn't think so but wanted to check first. Based on that hard-coding, I think that auditd on Linux doesn't plumb it through, not sure on macOS.
On macos,
is where the API is going, but Kolide doesn’t support the ES tables yet.
I take it there is no magical incantation to get Kolide to enable
It's at least not in - so I assume we'll have to wait a bit longer on that to be adopted.
I honestly don’t remember. Ping support — adding bpf support shouldn’t be a bit deal, it’s just exposing an option there. The macOS ES support requires a somewhat different codesign path
thanks, I'll follow up w/ them.