# osquery office hours 2022-08-16 YouTube Link: https://youtu.be/mRKQQ-rNsVo ## Announcements and Highlights since the last meeting ## Any Questions / Issues / PRs people want to discuss? The intent of this section is to provide a clear time for community members to bring up _anything_. Broad questions? Bugs? Deployment questions? Blocked PRs? ## osquery 5.5.0 release * Release needs its change log * Anyone have testing feedback? Sounds like no one's tested it yet. Fleet will push to `edge` this week. Likely Kolide as well. ## osquery 5.6.0 milestone * Maybe we ought to push it from Sep 1 (too soon, US holiday, etc) to around Sep 15 Discussion about release frequency. Sentiment is that we should keep aspiring to monthly. Maybe shifting the date from the 1st to the 15th ## Marcos Oviedo: Windows evented tables with ETW [Slide Deck](https://docs.google.com/presentation/d/1a1PQHWorZRbWnBvVD_rxIvrZ7NtJx1BwLE2VOFaUcXw/edit?usp=sharing) Marcos is chatting with Fleet about some possible evented data sources in windows. He brought a slide deck. His premise is that osquery is good for _current_ context, but not great for past execution context. (This is what evented tables are for) Thus, enter Event Tracing for Windows (ETW). * This tracing framework is available natively on windows. * Available across a lot of windows, since around windows 7. * Most "providers" can be used by any process - Some providers require "ELAM" signing privledges. **But** this is probably commercial vendor only - There's lots of value without ELAM anyhow * If there are a lot of events, there might be a performance impact. * Events are captured in a binary format, how consistent is this across windows versions? How hard to normalize will this by. * We might have some already, eg `powershell_events`. Some of these have the same underlying ETW source, but flow through the event logs. Some discussion about whether ETW can be used without _changing_ system state. Generally oquery avoids changing system state. So is the ETW state akin to the libaudit changes or the ES changes we make? Related: * https://github.com/osquery/osquery/issues/2567 * https://github.com/osquery/osquery/issues/7020 * https://github.com/eclecticiq/osq-ext-bin (closed source) * https://github.com/osquery/osquery/compare/master...muffins:win-etw-publisher -- old branch Nick started ## Discussion of cgroup column on linux https://github.com/osquery/osquery/pull/7728 Discussion about the potential performance impact. Might be 8%? This may or may not be large enough to matter. One work around is to flag the column as hidden, and then only populate if it's in the `SELECT` statement. (This is done on the macOS process table) Also discussion about other ways we can optimize the linux process table. Potentially some spurious string operations. Discussion about maybe creating a function to extract the container type from the name. Some future work there. ## Look at old PRs _(If there's time, we've been trying to re-visit old PRs)_ [Reverse Sorted List of PRs](https://github.com/osquery/osquery/pulls?q=is%3Apr+is%3Aopen+sort%3Acreated-asc)