Hello, I need assistance related to FIM in Linux. I have below config in osquery.conf file but the file_events table captures only the /etc/, /usr/ but not /opt { "options": { "disable_events":"false", "enable_file_events":"true", }, "file_paths": { "opt": [ "/opt/%%" ] } }

I don't immediately see a problem with the config, but, do you think this could be a lack of filesystem permissions by the osquery agent? Is it running as root?

@Mike Myers yeah, configured oqueryd service to run as root user and still same results, Without the file_paths flag in osquery.conf, by default it is scanning /etc, /usr. It is like default values?

@Karthick - I don't believe osquery has any default FIM values, but I could be wrong. If you your host has exhausted

fs.inotify.max_user_watches

, you may see unusual behavior. To see what your systems maximum number of inotify watches is:

sysctl fs.inotify.max_user_watches

On my system, this is 524,288, but on some systems it is as low as 8192 by default. You can adjust this using

sysctl -w

. To see how many inotify watches your system currently has registered (this may not be 100% accurate):

sudo find /proc/*/fd -lname anon_inode:inotify -printf '%hinfo/%f\n' | sudo xargs grep -hc "^inotify" | awk '{s+=$1} END {print s}'

To find out how many inotify handles at a minimum watching /etc, /opt, and /usr via inotify will require:

sudo find /etc /usr /opt | wc -l

On my system this count is 613,461, which exceeds my maximum inotify watches.

@Karthick if you are using Fleet, it could be pushing an osquery config that does turn on FIM on those paths.

yes we are using fleet