Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
e
etsang
03/15/2021, 10:53 PMIs osquery able to detect what files/folders in a system are accessed including just a READ?
I would like to find out the entire set of files/folders or other assets accessed without knowing the list beforehand. Most other monitor tools you have to know what you want to monitor first. Anyone with example will be appreciated.
m
Mike Myers
03/15/2021, 11:00 PMthe answer might depend on which OS you're running
e
etsang
03/15/2021, 11:03 PMlinux. I am new to osquery. I am doing an research on the tool for profiling application running on linux (what resources an running application is actually accessing/changing in a linux system, we can just assume redhat enterprise or any type of linux for an example).
m
Mike Myers
03/15/2021, 11:17 PMOk, I think Linux has two subsystems that osquery can use for file event monitoring: iNotify (
file_eventsprocess_file_eventsYou probably want to scope the monitoring to some part of the filesystem, with wildcards https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#matching-wildcard-rules
Trying to capture every file accessed/read is going to introduce a lot of overhead
e
etsang
03/15/2021, 11:27 PMthanks, yes it is to build up an initial list from the unknown, then filter down to the set of desired set of list eventually when it becomes clear what to look for.