running into an issue w/ 

process_file_events

 queries and was wondering if anyone else has had the same issue or knows how to fix this — i’m using a small, custom ruleset defined in /etc/audit/audit.d/rules.d:

-D

-b 5000000

--backlog_wait_time 0

-a always,exit -S openat

in osquery.flags i’m also setting

--audit_allow_config=false

to ensure that when osquery runs, it doesn’t overwrite these auditd changes

--audit_allow_config=false
--audit_allow_sockets=true
--audit_persist=true
--audit_fim_show_accesses=true
--audit_allow_fim_events=true
--disable_audit=false
--events_expiry=1
--events_max=5000000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130
--audit_allow_user_events=true
--verbose=true

in osquery.conf, i’m running a PFE query every 10 seconds on the Downloads directory:

"process_file_events": {
      "query": "SELECT * from process_file_events;",
      "interval": 10,
      "description": "auditd implementation of FIM",
      "removed": false
    },

[...]
 "file_paths": {
    "watch_repos": [
      "/home/rh0gue/Downloads/%"
    ]
  },
  "file_accesses": ["watch_repos"]

it seems this combination of using custom auditd rules and osquery works well to detect when a process executes the

openat

syscall on an pre-existing file in my Downloads directory that was already on disk when the osquery daemon was started, but not when a new file is downloaded to the same directory and a process executes

openat

on this new file. has anyone come across this issue or have any recommended solutions so that we can use osquery to monitor syscalls on newly created files as well?

You’re monitoring

/home/rh0gue/Downloads/%

which is expanded at service start to all the files in the Downloads directory. Try

/home/rh0gue/Downloads

I think missing the trailing slash is important) See discussion in https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/

i do want to monitor all the files in the Downloads directory though. when i set

/home/rh0gue/Downloads

i don’t see any PFE events generated for

/home/rh0gue/Downloads/test.txt

. But when i set

/home/rh0gue/Downloads/%

, i do see PFE events generated for

test.txt

which is what i want. i’m wondering though, if it’s also possible to download a new file to the

Downloads

directory after osqueryd starts and generate PFE events for that file as well without having to restart osqueryd again.

Thanks for the great explanation of what you are trying and observing. We should look into this. Do you mind creating an issue on GitHub?