allows only a single consumer of the generated events • Receiving audit events in osquery means disabling auditd • Disable auditd -> No audit events written to f i le • Some tools expect to be able to retrieve audit events from f i le! Highlander Quote - Linux Audit: Moving Beyond Kernel Namespaces to Audit Container IDs - Richard Guy Briggs (Linux Security Summit 2018)
for instrumenting nearly anything on Linux • System calls • Kernel tracepoints • User-space function calls • These can be dynamically con f i gured at osquery runtime
all syscalls of interest(!) • Measure latency and resource consumption of OS processes • Network stack • Filesystem • Other I/O • Count and measure functions within user-space
the tools of today • bpftrace • BCC • Which of these use cases map well to osquery’s SQL model? • How can osquery be useful for shipping the aggregated information from hosts?