I tried select from file events to test out file creation us osquery #general

I tried select * from file_events; to test out fil...

etsang

03/23/2021, 4:36 PM

I tried select * from file_events; to test out file creation (use touch comand) an dit works; but how can when I jsut READ the very same file again using more or ls; it is not showing the file was accessed as READ. how can I do that?

nyanshak

03/23/2021, 4:39 PM

See 'File Accesses' on this page: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ Have you configured

file_accesses

with the folders in your osquery config? This is additional config on top of the

file_paths

config that must be set up, because file accesses can be very noisy and have a lot of overhead. It's an explicit opt-in.

etsang

03/23/2021, 5:02 PM

yes I did { “options”: { “disable_events”: “false” }, “schedule”: { “file_events”: { “query”: “SELECT * FROM file_events;“, “interval”: 300 } }, “file_paths”: { “core-services”: [ “/Users/etsang/dev/src/cd.123.com/core-services/%%” ] }, “file_accesses”: [“core-services”] }

etsang

03/23/2021, 5:03 PM

and used touch 1.txt (works) and ls 1.txt (no entry)

etsang

03/23/2021, 5:03 PM

latest ossquery release on macosx

zwass

03/23/2021, 5:16 PM

I don't think

ls

would open the file though

nyanshak

03/23/2021, 5:16 PM

ah yeah that's true. Not sure about

more

though; seems like that should open the file?

zwass

03/23/2021, 5:17 PM

more

would definitely open the file

etsang

03/23/2021, 5:21 PM

i tried both but no entry

etsang

03/23/2021, 5:27 PM

I am using osqueryi to check for result nteractively if that matters

etsang

03/23/2021, 5:40 PM

Also how can I use pid ask a key to query for file_evernts? I want to know which files a known pid has accessed and changed

8 Views

Open in Slack

Previous Next