Logging considerations Choose specific columns to log from each tableĪlthough it may be tempting to simply use a wildcard in your queries (e.g. Palantir has open-sourced our osquery configuration here: Aside from the command-line flags, you'll want to ensure you are querying the process_events and socket_events tables within your nf configuration file. These command line flags are commonly saved to /etc/osquery/osquery.flags.
-watchdog_memory_limit=350 Tells osquery to bump the memory limit to 350mb. -logger_plugin=filesystem Tells osquery to log to the filesystem. -events_max=500000 Tells osquery to buffer 500,000 events between SELECTs defined by the query interval. -events_expiry=1 Tells osquery to expire events after a single select. -disable_audit=false Tells osquery to enable audit. -audit_persist=true Tells osquery to regain access to the netlink socket if it loses the connection. You may want to disable this if you’re using custom audit rules. -audit_allow_config=true Tells osquery that it is allowed to change audit config options. -audit_allow_process_events=true Tells osquery to record process executions (execve() syscall). -audit_allow_sockets=true Tells osquery to record network connections (bind() and connect() syscalls). The list of audit-related flags for a basic configuration are listed below: Enabling auditing with osqueryĬommand-line flags are the primary method for changing core behaviors in osquery. In addition to configuring auditing, we will provide readers with strategies for reducing the performance impact and logging volume that accompanies most auditing configurations. In this post, we will be focusing on the osquery auditing implementation details. 
In part one of this series, we covered the basics of the Linux Audit Framework.
0 kommentar(er)
