https://github.com/osquery/osquery logo
Title
r

reed

04/04/2020, 7:58 PM
One issue that I haven't seen a good answer for is how to track the actual user who is performing the action that causes the FIM event. In auditd terms, this is the auid. Does such a thing exist for inotify? What about the new eBPF support?
s

sundsta

04/05/2020, 12:17 AM
You probably want
process_file_events
instead of
file_events
which has the uid/gid the process is running under.
It is a Linux only table for now, however
r

reed

05/05/2020, 6:48 AM
I need the auid, which didn't exist.