Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
Brandon Mesa
07/27/2022, 5:40 PMI presume this flag relays file object management activity via EndpointSecurity instead of FSEvents... right?
s
sharvil
07/27/2022, 5:53 PMHey Brandon, yep that’s a new flag of EndpointSecurity based file events instead of FSEvents
b
Brandon Mesa
07/27/2022, 6:00 PMsweeeeet!!
any thoughts on going with one over the other?
s
sharvil
07/27/2022, 6:25 PMFSEvents won’t get you pid — it lacks process context
b
Brandon Mesa
08/02/2022, 3:42 PMHey @sharvil, Does EndpointSecurity FIM track files deleted? only seeing these EndpointSecurity events in https://github.com/osquery/osquery/blob/master/osquery/events/darwin/endpointsecurity_fim.cpp:
ES_EVENT_TYPE_NOTIFY_CREATE
ES_EVENT_TYPE_NOTIFY_RENAME
ES_EVENT_TYPE_NOTIFY_WRITE
ES_EVENT_TYPE_NOTIFY_TRUNCATE
s
sharvil
08/02/2022, 3:44 PMHey @Brandon Mesa, not yet..I am planning on adding support for few more event types. It’s a bit of a balancing act, because FIM can be quite a firehose
b
Brandon Mesa
08/02/2022, 3:45 PMNoted, thanks, Sharvil!
s
sharvil
08/02/2022, 3:48 PMAny cool use case for unlink/delete file events? Or just general interest?
b
Brandon Mesa
08/02/2022, 3:51 PMNot "cool" per say, just your good ole file auditing/compliance monitoring😃 In my case, to satisfy the OMB M-21-31 mandate
For what it's worth, these are some of the paths I'm monitoring with FSEvents/FIM
"file_paths": {
"users_home": [
"/Users/%%/.ssh/%%"
],
"root_home": [
"/var/root/%%"
],
"configuration": [
"/private/etc/%%"
],
"binaries": [
"/usr/bin/%%",
"/usr/sbin/%%",
"/bin/%%",
"/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%",
"/opt/bin/%%",
"/opt/sbin/%%"
],
"efi": [
"/System/Library/CoreServices/boot.efi"
],
"applications": [
"/Applications/%%",
"/Users/%%/Applications/%%"
]
},m
Marcel Keßler
08/05/2022, 12:55 PMHey @sharvil,
great to see you here! I also found your code (or pull request) to make use of the endpoint security file events. (Really a great work to make use of the ES. Thank you very much!)
Sadly the current implantation lacks the 'open' type, which we would like to use.
You mentioned the exact use case in your MDOYVR22 talk: What did access my cookies (or keychain)?
We need to detect cookie stealers or macOS chainbreaker scripts (to export certificates and keys which shouldn't be exportable).
Is there a specific reason why you left out the
ES_EVENT_TYPE_NOTIFY_OPENs
sharvil
08/05/2022, 1:15 PMHey @Marcel Keßler thanks so much!
re: with
ES_EVENT_TYPE_NOTIFY_OPENselect * from …what makes it harder from a development perspective is that we still do and want to support macOS 10.15 Catalina — there are newer APIs on path muting on Monterey which is giving much better performance, but they are not present in Catalina..and anecdotally, ES subsystem is working much better on Big Sur and Monterey than on Catalina
macOS Big Sur and Monterey also by default dynamically mutes some of the apple binaries on calling those ES APIs, which is again not the case in Catalina
one option going forward can be to introduce a flag — something like
--allow_open_eventswhat macOS versions do you mostly deploy on @Marcel Keßler?
m
Marcel Keßler
08/05/2022, 6:57 PMWe are just starting @sharvil , so everting will be 12.5 up 😃 i just switched to a big employer in need for macOS. But to introduce the product we need to detect some attacks which can only be detected by file open events.