Title
#general
e

etsang

03/15/2021, 10:53 PM
Is osquery able to detect what files/folders in a system are accessed including just a READ? I would like to find out the entire set of files/folders or other assets accessed without knowing the list beforehand. Most other monitor tools you have to know what you want to monitor first. Anyone with example will be appreciated.
Mike Myers

Mike Myers

03/15/2021, 11:00 PM
the answer might depend on which OS you're running
e

etsang

03/15/2021, 11:03 PM
linux. I am new to osquery. I am doing an research on the tool for profiling application running on linux (what resources an running application is actually accessing/changing in a linux system, we can just assume redhat enterprise or any type of linux for an example).
Mike Myers

Mike Myers

03/15/2021, 11:17 PM
Ok, I think Linux has two subsystems that osquery can use for file event monitoring: iNotify (
file_events
https://osquery.io/schema/4.6.0/#file_events) and Audit (in
process_file_events
https://osquery.io/schema/4.6.0/#process_file_events)
11:18 PM
You probably want to scope the monitoring to some part of the filesystem, with wildcards https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#matching-wildcard-rules
11:19 PM
Trying to capture every file accessed/read is going to introduce a lot of overhead
e

etsang

03/15/2021, 11:27 PM
thanks, yes it is to build up an initial list from the unknown, then filter down to the set of desired set of list eventually when it becomes clear what to look for.