https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello, i’m just learning about osquery and had a q...
# general
j
Hello, i’m just learning about osquery and had a question: is there a way to get processes which share runtime using osquery?
f
probably need to provide more information. which OS? which runtime are you referring to? electron? libc? win32? dll?
j
Linux, possibly Windows too for libc
f
first guess would be some kind of select from processes join process_open_files on pid where open files path matches some pattern for your runtime. but depending on which os and technology you are working with it may not show up as open in that way. some experimentation will be needed
j
Okay.. that’s helpful - it might be possible then? I can ask out osquery team. Thank you : )
f
if you could provide more info on your use case or an example output i may be able to help more. joining against process_envs table where key="LD_PRELOAD" as an example could show process that have the same shared library injected
j
Sure! So we are looking at an application, and trying to map the internal entities for it. So there are two parts to it: (i) possibly linking what entities are specific to an application (maybe depending on processes running on it) and (ii) entities which are in the same runtime environment. I am very very new to osquery, so am not sure how to approach this
So for example, if there is a package-management-system (application), with internal entities like mail-relay-service, tracking-system, update-user, package-database. We want to see if we can map the ips connecting from/to package-management-system and see if they are internal entities or not. Also would be helpful to check if mail-relay-service and tracking-system use the same runtime environment or not
@FG
f
sorry but i still don't understand what you are going for, where did IPs come from in this example?
j
Sorry i meant devices
Open in Slack
PreviousNext
Powered by