Ryan is Director of Engineering at Uptycs, where he enjoys bouncing around between kernel code, data pipelines, and even compilers to provide comprehensive security for container workloads, from build-time through large-scale production deployment. Prior to Uptycs, Ryan built teams solving exabyte-scale data challenges and scaling globally-distributed compute clusters at Facebook.
The following is adapted from Ryan Mack’s talk “Containers and osquery,” presented at osquery@scale ‘21. Ryan’s full presentation is available at the end of this piece.
We need as much visibility as possible into everything going on in our containers to effectively detect security problems in container-based environments. We also need to apply the unique properties of containers to create high-fidelity detection rules.
Osquery can meet both of these needs.
Osquery is a powerful tool that allows you to investigate and monitor a myriad of endpoint activity, status, and configuration information through a unified SQL interface. Inside osquery, there's typically a 1:1 correspondence between a source of information and the SQL table you can use to browse or search this information. Some sources of information include parts of the
/proc file system, API calls to container daemons, reading logs or status files on disk, and event streams coming from the Linux audit frame.