No, but we can add that fairly easily

don't have a solution but are the freezes due to disk i/o as osquery writes file_events to log?

@Stephan it is needed to do FIM, without that you disable the table 🤔

so, just to be clear, you cannot run auditd and osquery (with auditing enabled) at the same time and have audit events go to both of them

We keep hitting a wall with FIM. If we monitor directories we end up having to create too many system specific excludes as there is usually a noisy file in the directories that is application specific. If we monitor specific files directly with inotify, when vi or something else changes it, you now no longer have a file monitor on it. Would it be feasible to add some type of setting to the inotify method to set a new watch on a file after x amount of time, so it can catch repeated changes to a file?

Hi all 👋 I've got a few FIM-related questions; any pointer would be appreciated. 🙏 For those of you who use the

inotify

-based

file_events

table, how do you handle containers? Specifically: - how do you dynamically configure osquery to apply FIM queries to new containerd containers? - how do you get container metadata, such as k8s pod and deployment info, added to each

file_event

result?

hi @mtremsal — I don't know the answers off-hand, but @alessandrogario has been working on this problem using eBPF

can we use fim pack for windows ...is there any fim pack for windows too?

Hello, trying to get fim working on MacOS, but it doesn't seem to be returning any events (note: process_events is working fine). I can see the occasional info message in the logs

Subscriber expiration is too low: file_events

but can't find what this means. Any ideas? Relevant config below:

"file_events": {
			"query": "SELECT * FROM file_events;",
			"interval": 60,
			"removed": false,
			"description": "File events events."
		}
	},
	"file_paths": {
		"test": [
			"~/Library/Preferences/%%"
		]
	}

hello all. we have the following for file_events in our config and I was wondering the the default is for interval.I feel 10 sec is too frequent and generating a lot of logs as it's querying every 10 seconds. whats a reasonable number to use?

"file_events": {
          "query": "SELECT * FROM file_events;",
          "interval": 10,
          "description": "File events collected from file integrity monitoring",
          "removed":false

One issue that I haven't seen a good answer for is how to track the actual user who is performing the action that causes the FIM event. In auditd terms, this is the auid. Does such a thing exist for inotify? What about the new eBPF support?

Can anyone help with getting File Integrity Monitoring working with OSQuery please? It seems to work like 5% of the time with the majority of the time it doesn't report anything at all even though files are added/remove/modified in the target directories. It's a standalone config on a Fedora 29 instance with latest version of OSQuery . The same issues happen with Centos as well. All relevant config and logs below osquery.conf - https://pastebin.com/hUawQQwR splunk-pack-all.conf - https://pastebin.com/3XwVCSBq splunk-pack-nix.conf - https://pastebin.com/vLKcwiDE osqueryd.INFO.20210201-133214.12128 - https://pastebin.com/93LGgm3E osqueryd.results.log - https://pastebin.com/h8fddDaQ

Hello folks. I have been trying to find the cause of a weird bug but failed to do so... My osqueryd suddenly stopped logging FIM DELETE events. If I create a file, modify it, and then delete it, I will have all file change events except "DELETE". Does anyone have ideas on the cause of this? Thanks in advance!

Hi everyone 👋, I'm trying to use the FIM for monitoring log files under /var/log. Of course, due to the fact that these files are log files, they are updated and growing regularly. I would like to monitor only modifications of the log files, if the file size has not increased or it has shrunk (e.g. someone deleted some content). Is there a way with osquery to accomplish this? I did some tests and I saw the action "MOVED_TO" in the file_events table, if I'm going to delete some content of a file, but I don't know if this is enough. Maybe an approach would be, to compare the values of the size column, if this is possible 🤔

Hi, any idea?

Hi, I am running osquery 5.2.2 on Debian10 and I don't see records in the file_events table. When running in verbose mode, I see messages like "Failed to set the netlink owner", which according to readthedocs can be due to auditd, but I don't have this running. Same config works on CentOS7. Any idea what am I missing?

Hello, I'm trying to understand how the FIM works on windows. How works the journal cache on windows? Are the files cached only at the start? Let's say I'm watching

C:\Users\vagrant\Documents\%

, and no file exists at the moment osquery starts. If I create a file named

test.txt

and a few minutes later I delete that file, Will I get an event? What if I also watch the folder and the folder exists previously? What if I also watch the folder and the folder does not exists previously?

Hi,I am performing malware detection using yara this is my config file{ "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "logger_snapshot_event_type": "true", "schedule_splay_percent": "10" }, "yara": { "signatures": { // Each key is an arbitrary group name to give the signatures listed "sig_group_1": [ "/home/slyb/yara_rules/hello_worlds.yar" ] // "sig_group_2": [ "/Users/wxs/sigs/baz.yar" ] }, "file_paths": { "system_binaries": [ "sig_group_1" ] } }, // Paths to watch for filesystem events "file_paths": { "system_binaries": [ "/home/slyb/%" ] }, "packs": { "osquery-monitoring": "/home/slyb/osquery/packs/osquery-monitoring.conf", "fim": "/home/slyb/osquery/packs/fim.conf" } }and this is my flag file --config_plugin=filesystem --config_path=/etc/osquery/osquery.conf --enable_yara_sigurl=true --logger_plugin=filesystem --logger_path=/var/log/osquery --disable_logging=false --log_result_events=true --schedule_splay_percent=10 --pidfile=/var/osquery/osquery.pidfile --events_expiry=3600 --database_path=/var/osquery/osquery.db --verbose=false --worker_threads=2 --disable_events=false --disable_audit=false --audit_allow_config=true --host_identifier=hostname --enable_syslog=true --audit_allow_sockets=true --schedule_default_interval=3600 --enable_file_events=truethis is my yara rule file rule ExampleRule { strings: $my_text_string = "hello world" $my_hex_string = { E2 34 A1 C8 23 FB } condition: $my_text_string or $my_hex_string } the problem is im getting no entry in yara_events table after testing for a file that has the same signature as mentioned in yara rule

what's in the fim.conf pack?

Hi i enabled FIM through fleet ui and it seems not working. config: options: disable_audit: false logger_plugin: tls disable_events: false pack_delimiter: / logger_tls_period: 10 distributed_plugin: tls enable_file_events: true disable_distributed: false logger_tls_endpoint: /api/v1/osquery/log distributed_interval: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: platforms: all: file_paths: etc: - /etc/osquery/% exclude_paths: tmp: - /tmp/too_many_events/ homes: - /home/not_to_monitor/.ssh/%% i cannot fetch any record in file_events table after creating or deleting any files under /etc/osquery/.

Hi, I'm using FIM for windows. Is there a way I can query for file-modification events which also gives the name of the process which modified it ? Thanks