Title
#process-auditing
clong

clong

08/27/2018, 5:58 PM
anyone here ever use cgroups for osquery on linux? @8p8c i think possibly you mentioned this at some point?
stefanmaerz

stefanmaerz

08/27/2018, 7:54 PM
I have heard that people use them. I am interested in this topic as well.
pirxthepilot

pirxthepilot

08/28/2018, 5:13 PM
+1
5:15 PM
@clong curious to know if you're asking because the osquery watchdog isn't enough for you?
clong

clong

08/28/2018, 5:17 PM
So watchdog will kill osquery repeatedly, but we have instances where osquery is writing 60mb/s on hosts and not actually triggering watchdog
5:18 PM
also whitelisting via audit rules is really tricky as our base server AMIs change constantly and they have to rebuild the AMI to get new audit rules added
pirxthepilot

pirxthepilot

08/29/2018, 5:15 PM
interesting. so you audit everything? we were thinking of doing that but are afraid of the impact on our hosts.
v

vladu

08/29/2018, 5:46 PM
we monitor all processes but exclude via audit rules a couple of them that we know create high churn of events. this does not really scale because the audit config is static and baked into the machine image. we do not really control the workload on those machines and it can usually be the case a new user starts a processes that causes osquery to put a high write load on the disk maxing it’s IOPS
pirxthepilot

pirxthepilot

09/25/2018, 6:04 PM
sorry i wasn't able to respond to this earlier, but thanks for the info. we're similarly trying to sort out our audit rules, whether we should have one universal set, or have custom ones according to host type. we very much prefer the former as the latter will just be harder to manage.