owned this note
owned this note
Published
Linked with GitHub
# osquery office hours 2022-09-27
YouTube Link: https://youtu.be/6t66ttoT_tQ
## Announcements and Highlights since the last meeting
* 5.5.1 is fully out
## Any Questions / Issues / PRs people want to discuss?
The intent of this section is to provide a clear time for community members to bring up _anything_.
Broad questions? Bugs? Deployment questions? Blocked PRs?
## Deprecating `is_active` column in `running_apps` table on macOS
I think we should deprected the `is_active` column in the `running_apps` table.
This column will only return accurate data when on query in `osqueryi`. This means that whenever this table is queried via distributed or scheduled queries, it will return false and inaccurate data.
This is a quirk of the NSWorkspace API on macOS, which needs to be run from the main thread only. I tried looking at the slightly higher cocoa API to replace this, but couldn't find any.
I am also unaware of very many users of this column, and I think it should be okay to deprecate it.
## New Linux event table improvement using BPF PoC Leveraging BTF
(Alessandro) https://github.com/osquery/osquery/pull/7773 Looking for testers with Linux kernel version ~5.3 (no CentOS 6)
Both performance improvement and container-aware.
This requires BTF, which is pretty common on kernels 5.3 and newer. One call out here is that this makes the kernel requirement newer than the libc requirement. This doesn't seem like a problem, but is a callout. Additionally, there may not be an upgrade path for someone using BPF on an older kernel. (osquery would be fine, but bpf publishers won't work.)
If you would like to help test this, logged-in GitHub users can grab the binaries from the CI build. You can also reach out to Alessandro for a download.
### Demo and History
1. Long ago, we used `auditd`, but that was imperfect, and we wanted other tools.
2. BPF started existing, and we investigated. It showed promised
3. But, some of the guidelines we have were at odds. We don't like making system changes, we don't want to requie kernel headers
4. Started with syscall tracing. And nosing around
5. Filenames turned out to be very hard. There are a lot of potential callers, that support doing this in many ways.
6. So many things to trace.
7. We did some work here -- `ebpfpub`. But it was pretty hard to use.
8. Until... Facebook created BTF
9. New library! [`btfparse`](https://github.com/trailofbits/btfparse)
10. It generates a system specific header file at startup time
11. Works like a jit, leverages llvm to take c code, to bpf bytecode. (It links to libclang, and can do this at runtime)
12. Support lots of the private types, which means we don't need to re-implement them. Woo!
## 5.6.0
We should probably cut a release. Though need to review a [windows build request](https://github.com/osquery/osquery-codesign/pull/37/) first.
## Look at old PRs
_(If there's time, we've been trying to re-visit old PRs)_
[Reverse Sorted List of PRs](https://github.com/osquery/osquery/pulls?q=is%3Apr+is%3Aopen+sort%3Acreated-asc)