Before I open up a bug w osquery upstream is there anything

Question

Before I open up a bug w osquery upstream is there anything in Kolide s privacy aware confiuration that might prevent `process events env size` from being populated I have a query to find short lived setuid overflow attempts but the field is always NULL I suspect it s a bug relating to env whitelisting but wanted to save the osquery maintainers some hassle if it was a known Kolide specific issue

Thomas Stromberg · Answer

This might be my answer on Linux <https github com osquery osquery blob 274ea906f96de34d0abd4ed001c178893ffae06a osquery tables events linux process events cpp L219> I wonder how that came to be disappointed On macOS I m not sure what s going on instead of 0 it s always NULL

seph · Answer

I don t think we do anything around that

seph · Answer

I would bet it s used on some platforms but not others And or that it has performance implications There s been a fair bit of iteration around this stuff

seph · Answer

On linux the bpf process events may be a better bet

Thomas Stromberg · Answer

Thanks I didn t think so but wanted to check first Based on that hard coding I think that auditd on Linux doesn t plumb it through not sure on macOS

seph · Answer

On macos `es process events` is where the API is going but Kolide doesn t support the ES tables yet

Thomas Stromberg · Answer

I take it there is no magical incantation to get Kolide to enable `bpf process events`

Thomas Stromberg · Answer

It s at least not in <https k2 kolide com 3361 log pipeline osquery options edit> so I assume we ll have to wait a bit longer on that to be adopted

seph · Answer

I honestly don t remember Ping support adding bpf support shouldn t be a bit deal it s just exposing an option there The macOS ES support requires a somewhat different codesign path

Thomas Stromberg · Answer

thanks I ll follow up w them