Title
#kolide
t

Thomas Stromberg

11/04/2022, 12:41 PM
Before I open up a bug w/ osquery upstream, is there anything in Kolide's privacy-aware confiuration that might prevent
process_events.env_size
from being populated? I have a query to find short-lived setuid overflow attempts but the field is always NULL. I suspect it's a bug relating to env whitelisting, but wanted to save the osquery maintainers some hassle if it was a known Kolide-specific issue.
1:07 PM
This might be my answer on Linux: https://github.com/osquery/osquery/blob/274ea906f96de34d0abd4ed001c178893ffae06a/osquery/tables/events/linux/process_events.cpp#L219 I wonder how that came to be 😞 On macOS, I'm not sure what's going on -- instead of 0, it's always NULL.
s

seph

11/04/2022, 2:13 PM
I don’t think we do anything around that
2:15 PM
I would bet it’s used on some platforms, but not others. And/or that it has performance implications. There’s been a fair bit of iteration around this stuff.
2:15 PM
On linux, the bpf_process_events may be a better bet.
t

Thomas Stromberg

11/04/2022, 2:15 PM
Thanks, I didn't think so but wanted to check first. Based on that hard-coding, I think that auditd on Linux doesn't plumb it through, not sure on macOS.
s

seph

11/04/2022, 2:15 PM
On macos,
es_process_events
is where the API is going, but Kolide doesn’t support the ES tables yet.
t

Thomas Stromberg

11/04/2022, 2:16 PM
I take it there is no magical incantation to get Kolide to enable
bpf_process_events
?
2:17 PM
It's at least not in https://k2.kolide.com/3361/log_pipeline/osquery_options/edit - so I assume we'll have to wait a bit longer on that to be adopted.
s

seph

11/04/2022, 2:18 PM
I honestly don’t remember. Ping support — adding bpf support shouldn’t be a bit deal, it’s just exposing an option there. The macOS ES support requires a somewhat different codesign path
t

Thomas Stromberg

11/04/2022, 2:18 PM
thanks, I'll follow up w/ them.