https://github.com/osquery/osquery logo
Join Slack
Powered by
I presume this flag relays file object management ...
# general
b
I presume this flag relays file object management activity via EndpointSecurity instead of FSEvents... right?
s
Hey Brandon, yep that’s a new flag of EndpointSecurity based file events instead of FSEvents
b
sweeeeet!!
any thoughts on going with one over the other?
s
FSEvents won’t get you pid — it lacks process context
b
Hey @sharvil, Does EndpointSecurity FIM track files deleted? only seeing these EndpointSecurity events in https://github.com/osquery/osquery/blob/master/osquery/events/darwin/endpointsecurity_fim.cpp: ES_EVENT_TYPE_NOTIFY_CREATE ES_EVENT_TYPE_NOTIFY_RENAME ES_EVENT_TYPE_NOTIFY_WRITE ES_EVENT_TYPE_NOTIFY_TRUNCATE
s
Hey @Brandon Mesa, not yet..I am planning on adding support for few more event types. It’s a bit of a balancing act, because FIM can be quite a firehose
b
Noted, thanks, Sharvil!
s
Any cool use case for unlink/delete file events? Or just general interest?
b
Not "cool" per say, just your good ole file auditing/compliance monitoring😃 In my case, to satisfy the OMB M-21-31 mandate
For what it's worth, these are some of the paths I'm monitoring with FSEvents/FIM
Copy code
"file_paths": {
    "users_home": [
      "/Users/%%/.ssh/%%"
    ],
    "root_home": [
      "/var/root/%%"
    ],
    "configuration": [
      "/private/etc/%%"
    ],
    "binaries": [
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/bin/%%",
      "/sbin/%%",
      "/usr/local/bin/%%",
      "/usr/local/sbin/%%",
      "/opt/bin/%%",
      "/opt/sbin/%%"
    ],
    "efi": [
      "/System/Library/CoreServices/boot.efi"
    ],
    "applications": [
      "/Applications/%%",
      "/Users/%%/Applications/%%"
    ]
  },
m
Hey @sharvil, great to see you here! I also found your code (or pull request) to make use of the endpoint security file events. (Really a great work to make use of the ES. Thank you very much!) Sadly the current implantation lacks the 'open' type, which we would like to use. You mentioned the exact use case in your MDOYVR22 talk: What did access my cookies (or keychain)? We need to detect cookie stealers or macOS chainbreaker scripts (to export certificates and keys which shouldn't be exportable). Is there a specific reason why you left out the 
ES_EVENT_TYPE_NOTIFY_OPEN
(probably so not too many events get generated? Or at least a whitelist would be needed first?)
s
Hey @Marcel Keßler thanks so much! re: with 
ES_EVENT_TYPE_NOTIFY_OPEN
, I do have plans to support and add it, but as you can imagine it’s a bit of a balancing act when it comes to performance and requires a bit of tuning, otherwise it would create a frustrating out of the box experience when folks would just do a 
select * from …
and watchdog killing and denylisting the query…
what makes it harder from a development perspective is that we still do and want to support macOS 10.15 Catalina — there are newer APIs on path muting on Monterey which is giving much better performance, but they are not present in Catalina..and anecdotally, ES subsystem is working much better on Big Sur and Monterey than on Catalina
macOS Big Sur and Monterey also by default dynamically mutes some of the apple binaries on calling those ES APIs, which is again not the case in Catalina
one option going forward can be to introduce a flag — something like 
--allow_open_events
so that folks can opt-in knowing that they will have to tune it and provide paths to mute, while also preserving the out of the box experience
what macOS versions do you mostly deploy on @Marcel Keßler?
m
We are just starting @sharvil , so everting will be 12.5 up 😃 i just switched to a big employer in need for macOS. But to introduce the product we need to detect some attacks which can only be detected by file open events.
2 Views
Open in Slack
PreviousNext
Powered by