Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
theopolis
10/04/2020, 8:33 PM@Prateek Kumar Nischal here is a fix https://github.com/osquery/osquery/pull/6694
👍 1
p
Prateek Kumar Nischal
10/04/2020, 8:36 PMPS: I came across this while trying to see if the “category” label can be attached in the process_file_events table.
Right now, I am not able to get process_file_events to emit any event.. I can see the fim debug logs with the files being recorded but it’s not coming up in the osquery logs
t
theopolis
10/04/2020, 8:49 PMThis is a newish change, but of course would be present in 4.5.0
p
Prateek Kumar Nischal
10/04/2020, 9:02 PMhas this been added in the 4.5.0 😬 ? I don’t see it in the table descriptions.
I have kind of implemented it.. but somehow I am not able to get process_file_events to emit any event.. even with 4.4.0 as control.. maybe I have messed something up with my config.
Just in case: https://paste.ubuntu.com/p/JdbwTPzvCy/
--disable_audit=false
--allow_unsafe
--audit_allow_config
--audit_allow_fim_events=true
--events_max=10000
--audit_backlog_limit=10000
--audit_backlog_wait_time=60000
--audit_persistin the audit_fim_debug mode I see
Type: Close ProcessID: 26465 ImagePath: /bin/bash Data: Close /etc/a.conf StateChange: True
Type: Write ProcessID: 26465 ImagePath: /bin/bash Data: Write /etc/a.conf StateChange: True
Type: Open ProcessID: 26465 ImagePath: /bin/bash Data: Open /etc/a.conf StateChange: True