Channels
# apple-silicon
# arm-architecture
# auditing-warroom
# aws
# code-review
# community-feeds
# core
# darkbytes
# doorman
# ebpf
# eclecticiq-polylogyx-extension
# extensions
# file-carving
# fim
# fleet
# foundation
# fuzzing
# general
# golang
# goquery
# infrastructure
# kolide
# linux
# macos
# officehours
# osctrl
# plugins
# process-auditing
# querycon
# queryhub
# sql
# tls
# uptycs
# website
# windows
# zeek
# zercurity
marpaia
4 years agoyeah, i saw that the new app execs osqueryi. that’s not a great pattern imo.
defensivedepth
4 years agoCan you give me some context around why this is not a good idea?marpaia
4 years agoa lot happen when you
a process… if you’re doing it often, in a loop, or as apart of consistent operations of a tool, it’s incredibly inefficientexec- the HIDS i wrote at etsy used to exec like all hell
- and it was obnoxiously resource intensive because of it
- this was the motivation for the “no shelling out” rule in osquery
- as well as the local socket and the
method so that all of this could happen withoutQueryexec - g
groob
4 years agoyou also have to spend extra resources validating command output and stderr for all the ways it can fail defensivedepth
4 years agothanks, that helps.- So for a standalone tool, if I wanted to run a bunch of queries and then generate a pdf report from the results -- using the thrift API + osqueryd would be preferable to using osqueryi?
- g
groob
4 years agoyou can use thrift with osqueryi too. it’s the same API marpaia
4 years agobut yeah, start an osquery{d/i} and then run as many queries as you want via the thrift api
Join thread in Slack
View count: 3