hi <@UGFR04PLZ> — I don't know the answers off-han...
# fimm
Mike Myers
02/25/2019, 9:10 PMhi @mtremsal — I don't know the answers off-hand, but @alessandrogario has been working on this problem using eBPF
m
mtremsal
02/25/2019, 9:20 PMThanks! I'll read a bit through the #ebpf channel. I had no idea osquery even had eBPF support for FIM.
m
Mike Myers
02/25/2019, 9:50 PMthe support Alessandro is working on in an extension for our extensions repo is not the same as the support in upstream
Mike Myers
02/25/2019, 9:51 PMWork in progress is here, but I hope he eventually has a chance to answer your questions https://github.com/trailofbits/osquery-extensions/commit/7457d8f205f5e0dc3860b06c9982af384694e7b2
❤️ 1
a
alessandrogario
02/25/2019, 11:36 PM
Hey @mtremsal! We are using kprobes to map processes inside containers. Basic fd tracking for socket_events is being implemented, and will be useful for implementing FIM too
m
mtremsal
02/26/2019, 3:41 PMHi Alessandro. I work at Datadog. Since we already have an agent that handles live process and container monitoring, I'm looking more specifically at FIM at moment. I'll keep an eye on your PRs; really interesting stuff. 👍
😌 1
a
alessandrogario
02/26/2019, 3:42 PM
Thanks! We'll make sure to post updates about it here on Slack! 🙂
2 Views