https://github.com/osquery/osquery logo
Join Slack
Powered by
running into an issue w/ `process_file_events` que...
# general
r
running into an issue w/ 
process_file_events
 queries and was wondering if anyone else has had the same issue or knows how to fix this — i’m using a small, custom ruleset defined in /etc/audit/audit.d/rules.d:
Copy code
-D

-b 5000000

--backlog_wait_time 0

-a always,exit -S openat
in osquery.flags i’m also setting 
--audit_allow_config=false
to ensure that when osquery runs, it doesn’t overwrite these auditd changes
Copy code
--audit_allow_config=false
--audit_allow_sockets=true
--audit_persist=true
--audit_fim_show_accesses=true
--audit_allow_fim_events=true
--disable_audit=false
--events_expiry=1
--events_max=5000000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130
--audit_allow_user_events=true
--verbose=true
in osquery.conf, i’m running a PFE query every 10 seconds on the Downloads directory:
Copy code
"process_file_events": {
      "query": "SELECT * from process_file_events;",
      "interval": 10,
      "description": "auditd implementation of FIM",
      "removed": false
    },

[...]
 "file_paths": {
    "watch_repos": [
      "/home/rh0gue/Downloads/%"
    ]
  },
  "file_accesses": ["watch_repos"]
it seems this combination of using custom auditd rules and osquery works well to detect when a process executes the 
openat
syscall on an pre-existing file in my Downloads directory that was already on disk when the osquery daemon was started, but not when a new file is downloaded to the same directory and a process executes 
openat
on this new file. has anyone come across this issue or have any recommended solutions so that we can use osquery to monitor syscalls on newly created files as well?
s
You’re monitoring 
/home/rh0gue/Downloads/%
which is expanded at service start to all the files in the Downloads directory. Try 
/home/rh0gue/Downloads
I think missing the trailing slash is important) See discussion in https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
r
i do want to monitor all the files in the Downloads directory though. when i set 
/home/rh0gue/Downloads
i don’t see any PFE events generated for 
/home/rh0gue/Downloads/test.txt
. But when i set 
/home/rh0gue/Downloads/%
, i do see PFE events generated for 
test.txt
which is what i want. i’m wondering though, if it’s also possible to download a new file to the 
Downloads
directory after osqueryd starts and generate PFE events for that file as well without having to restart osqueryd again.
t
Thanks for the great explanation of what you are trying and observing. We should look into this. Do you mind creating an issue on GitHub?
14 Views
Open in Slack
PreviousNext
Powered by