Title
#general
b

Brandon Mesa

07/27/2022, 5:40 PM
I presume this flag relays file object management activity via EndpointSecurity instead of FSEvents... right?
s

sharvil

07/27/2022, 5:53 PM
Hey Brandon, yep that’s a new flag of EndpointSecurity based file events instead of FSEvents
b

Brandon Mesa

07/27/2022, 6:00 PM
sweeeeet!!
6:00 PM
any thoughts on going with one over the other?
s

sharvil

07/27/2022, 6:25 PM
FSEvents won’t get you pid — it lacks process context
b

Brandon Mesa

08/02/2022, 3:42 PM
Hey @sharvil, Does EndpointSecurity FIM track files deleted? only seeing these EndpointSecurity events in https://github.com/osquery/osquery/blob/master/osquery/events/darwin/endpointsecurity_fim.cpp: ES_EVENT_TYPE_NOTIFY_CREATE ES_EVENT_TYPE_NOTIFY_RENAME ES_EVENT_TYPE_NOTIFY_WRITE ES_EVENT_TYPE_NOTIFY_TRUNCATE
s

sharvil

08/02/2022, 3:44 PM
Hey @Brandon Mesa, not yet..I am planning on adding support for few more event types. It’s a bit of a balancing act, because FIM can be quite a firehose
b

Brandon Mesa

08/02/2022, 3:45 PM
Noted, thanks, Sharvil!
s

sharvil

08/02/2022, 3:48 PM
Any cool use case for unlink/delete file events? Or just general interest?
b

Brandon Mesa

08/02/2022, 3:51 PM
Not "cool" per say, just your good ole file auditing/compliance monitoring😃 In my case, to satisfy the OMB M-21-31 mandate
3:52 PM
For what it's worth, these are some of the paths I'm monitoring with FSEvents/FIM
"file_paths": {
    "users_home": [
      "/Users/%%/.ssh/%%"
    ],
    "root_home": [
      "/var/root/%%"
    ],
    "configuration": [
      "/private/etc/%%"
    ],
    "binaries": [
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/bin/%%",
      "/sbin/%%",
      "/usr/local/bin/%%",
      "/usr/local/sbin/%%",
      "/opt/bin/%%",
      "/opt/sbin/%%"
    ],
    "efi": [
      "/System/Library/CoreServices/boot.efi"
    ],
    "applications": [
      "/Applications/%%",
      "/Users/%%/Applications/%%"
    ]
  },
m

Marcel Keßler

08/05/2022, 12:55 PM
Hey @sharvil, great to see you here! I also found your code (or pull request) to make use of the endpoint security file events. (Really a great work to make use of the ES. Thank you very much!) Sadly the current implantation lacks the 'open' type, which we would like to use. You mentioned the exact use case in your MDOYVR22 talk: What did access my cookies (or keychain)? We need to detect cookie stealers or macOS chainbreaker scripts (to export certificates and keys which shouldn't be exportable). Is there a specific reason why you left out the
ES_EVENT_TYPE_NOTIFY_OPEN
(probably so not too many events get generated? Or at least a whitelist would be needed first?)
s

sharvil

08/05/2022, 1:15 PM
Hey @Marcel Keßler thanks so much! re: with
ES_EVENT_TYPE_NOTIFY_OPEN
, I do have plans to support and add it, but as you can imagine it’s a bit of a balancing act when it comes to performance and requires a bit of tuning, otherwise it would create a frustrating out of the box experience when folks would just do a
select * from …
and watchdog killing and denylisting the query…
1:16 PM
what makes it harder from a development perspective is that we still do and want to support macOS 10.15 Catalina — there are newer APIs on path muting on Monterey which is giving much better performance, but they are not present in Catalina..and anecdotally, ES subsystem is working much better on Big Sur and Monterey than on Catalina
1:19 PM
macOS Big Sur and Monterey also by default dynamically mutes some of the apple binaries on calling those ES APIs, which is again not the case in Catalina
1:20 PM
one option going forward can be to introduce a flag — something like
--allow_open_events
so that folks can opt-in knowing that they will have to tune it and provide paths to mute, while also preserving the out of the box experience
1:21 PM
what macOS versions do you mostly deploy on @Marcel Keßler?
m

Marcel Keßler

08/05/2022, 6:57 PM
We are just starting @sharvil , so everting will be 12.5 up 😃 i just switched to a big employer in need for macOS. But to introduce the product we need to detect some attacks which can only be detected by file open events.