anyone here ever use cgroups for osquery on linux? @8p8c i think possibly you mentioned this at some point?
08/27/2018, 7:54 PM
I have heard that people use them. I am interested in this topic as well.
08/28/2018, 5:13 PM
@clong curious to know if you're asking because the osquery watchdog isn't enough for you?
08/28/2018, 5:17 PM
So watchdog will kill osquery repeatedly, but we have instances where osquery is writing 60mb/s on hosts and not actually triggering watchdog
also whitelisting via audit rules is really tricky as our base server AMIs change constantly and they have to rebuild the AMI to get new audit rules added
08/29/2018, 5:15 PM
interesting. so you audit everything? we were thinking of doing that but are afraid of the impact on our hosts.
08/29/2018, 5:46 PM
we monitor all processes but exclude via audit rules a couple of them that we know create high churn of events. this does not really scale because the audit config is static and baked into the machine image. we do not really control the workload on those machines and it can usually be the case a new user starts a processes that causes osquery to put a high write load on the disk maxing it’s IOPS
09/25/2018, 6:04 PM
sorry i wasn't able to respond to this earlier, but thanks for the info. we're similarly trying to sort out our audit rules, whether we should have one universal set, or have custom ones according to host type. we very much prefer the former as the latter will just be harder to manage.