Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mike Myers
02/25/2019, 9:10 PMhi @mtremsal — I don't know the answers off-hand, but @alessandrogario has been working on this problem using eBPF
m
mtremsal
02/25/2019, 9:20 PMThanks! I'll read a bit through the #ebpf channel. I had no idea osquery even had eBPF support for FIM.
m
Mike Myers
02/25/2019, 9:50 PMthe support Alessandro is working on in an extension for our extensions repo is not the same as the support in upstream
Work in progress is here, but I hope he eventually has a chance to answer your questions https://github.com/trailofbits/osquery-extensions/commit/7457d8f205f5e0dc3860b06c9982af384694e7b2
❤️ 1
a
alessandrogario
02/25/2019, 11:36 PMHey @mtremsal! We are using kprobes to map processes inside containers. Basic fd tracking for socket_events is being implemented, and will be useful for implementing FIM too
m
mtremsal
02/26/2019, 3:41 PMHi Alessandro. I work at Datadog. Since we already have an agent that handles live process and container monitoring, I'm looking more specifically at FIM at moment. I'll keep an eye on your PRs; really interesting stuff. 👍
😌 1
a
alessandrogario
02/26/2019, 3:42 PMThanks! We'll make sure to post updates about it here on Slack! 🙂