Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use eBPF for the process_file_events publisher instead of auditd #8279

Open
kswagler-rh opened this issue Feb 22, 2024 · 0 comments
Open

Use eBPF for the process_file_events publisher instead of auditd #8279

kswagler-rh opened this issue Feb 22, 2024 · 0 comments
Labels
feature Linux

Comments

@kswagler-rh
Copy link

Feature request

What new feature do you want?

Ability to use eBPF as a file events publisher instead of auditd, specifically for process_file_events.

How is this new feature useful?

Using auditd requires OSQuery to be the only process accessing auditd. This is undesirable since other applications or users way desire to have auditd log normally. Using eBPF should allow feature parity of auditd, but not have the undesired configuration limitations.

How can this be implemented?

It appears there was already some work down for using eBPF in file system, and there is already an ebpf eventd publisher

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Smjert @kswagler-rh