Hi all wave I ve got a few FIM related questions any pointer

Question

Hi all wave I ve got a few FIM related questions any pointer would be appreciated pray For those of you who use the `inotify` based `file events` table how do you handle containers Specifically how do you dynamically configure osquery to apply FIM queries to new containerd containers how do you get container metadata such as k8s pod and deployment info added to each `file event` result

8p8c · Answer

the short answer is you don t currently it s not simple to get fim activity especially from via inotify event feed there is not a lot of context around inotify fim events

mtremsal · Answer

Thanks for confirming thumbsup