Channels
  • m

    Mithya

    2 years ago
    Hello. I am trying to setup Osquery process eventing inside a container. Is it possible? (I can setup snapshot queries fine inside the container). To give the further info, I am able to setup process eventing inside a Centos7 VM after disabling auditd. In the VM, I could see osquery taking over auditd rules (
    auditctl -l
    shows me rules added by osquery but in the container, this doesn't work.) The same set of flags don't work when I test it out inside a container. These are the flags I am launching osqueryd with
    --audit_allow_config=true
    --audit_allow_sockets
    --audit_persist=true
    --disable_audit=false
    The error that I am getting is
    osquery_1   | I0429 19:00:06.721541    16 auditdnetlink.cpp:623] Failed to set the netlink owner
  • sundsta

    sundsta

    2 years ago
    Not really. The events are provided by the auditing framework in the linux kernel, which is shared between all containers
    If you let the container run as privileged and the uid of osqueryd inside the container is 0, it should work but then you’re monitoring the whole VM, not just the container (which I think is your goal)
  • m

    Mithya

    2 years ago
    Thanks for the response! I am not super knowledgeble with containers but seems that I should be able to get eventing process for container from host itself.
  • sundsta

    sundsta

    2 years ago
    Yes, you can