Title
#process-auditing
clong

clong

06/21/2018, 3:29 AM
the TL;DR is that i can only semi-reproduce the issue on a VM. It seems to only affect osquery installs that have gone through a long upgrade chain. The good news is that downgrading seems to be a workaround that doesnt involve nuking the DB: https://github.com/facebook/osquery/issues/4615
j

jaredl

06/21/2018, 4:48 PM
@clong - I commented on it but, do you have the output from the
auditctl -l
and
auditctl -s
commands?
clong

clong

06/21/2018, 4:49 PM
yeah, so everything in auditctl looks kosher. It’s enabled, pid points to the right process, the 3 rules are loaded, etc
4:49 PM
i dont have the output on hand, but nothing looked off from that standpoint