Is osquery able to detect what files/folders in a ...
# generale
etsang
03/15/2021, 10:53 PMIs osquery able to detect what files/folders in a system are accessed including just a READ?
I would like to find out the entire set of files/folders or other assets accessed without knowing the list beforehand. Most other monitor tools you have to know what you want to monitor first. Anyone with example will be appreciated.
m
Mike Myers
03/15/2021, 11:00 PMthe answer might depend on which OS you're running
e
etsang
03/15/2021, 11:03 PMlinux. I am new to osquery. I am doing an research on the tool for profiling application running on linux (what resources an running application is actually accessing/changing in a linux system, we can just assume redhat enterprise or any type of linux for an example).
m
Mike Myers
03/15/2021, 11:17 PMOk, I think Linux has two subsystems that osquery can use for file event monitoring: iNotify (
file_eventsprocess_file_eventsMike Myers
03/15/2021, 11:18 PMYou probably want to scope the monitoring to some part of the filesystem, with wildcards https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#matching-wildcard-rules
Mike Myers
03/15/2021, 11:19 PMTrying to capture every file accessed/read is going to introduce a lot of overhead
e
etsang
03/15/2021, 11:27 PMthanks, yes it is to build up an initial list from the unknown, then filter down to the set of desired set of list eventually when it becomes clear what to look for.
17 Views