Anyone using osquery for File Intergrity Monitoring? How is the actual detection/alerting done in practice? I've read the osquery documentation, but that hasn't really answered my question. I feel like I am missing part of the puzzle here
03/28/2022, 3:59 PM
It is event based - the underlying tech varies a lot depending on the operating system. For example in linux it uses inotify. So it watches for changes, it does not compare file hashes with a known list of good hashes like older FIM tools would sometimes do (so it is much faster)
so you would have to query the _events table(s) for your OS(es), and if they are empty that means nothing changed, as per your configuration (you can specify specific directories to watch - would not recommend doing it on
03/29/2022, 8:13 AM
Thank you @Guillaume so that confirms my understanding: osquery can look for changed files, but IF I use it for FIM, I'll need an additgional component that regularly queries those tables and notifies me upon changes
03/29/2022, 11:41 AM
Right you want to query the events tables regularly to know what happens. You might want to check out Fleet to do this (#fleet) - full disclosure - I work there, but it's open-source!