You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ability to use eBPF as a file events publisher instead of auditd, specifically for process_file_events.
How is this new feature useful?
Using auditd requires OSQuery to be the only process accessing auditd. This is undesirable since other applications or users way desire to have auditd log normally. Using eBPF should allow feature parity of auditd, but not have the undesired configuration limitations.
Feature request
What new feature do you want?
Ability to use eBPF as a file events publisher instead of auditd, specifically for process_file_events.
How is this new feature useful?
Using auditd requires OSQuery to be the only process accessing auditd. This is undesirable since other applications or users way desire to have auditd log normally. Using eBPF should allow feature parity of auditd, but not have the undesired configuration limitations.
How can this be implemented?
It appears there was already some work down for using eBPF in file system, and there is already an ebpf eventd publisher
The text was updated successfully, but these errors were encountered: