Hey wave quick question regarding `file events` I can exclud osquery #general

Hey :wave: quick question regarding `file_events`,...

João Godinho

01/06/2020, 4:12 PM

Hey 👋 quick question regarding

file_events

, I can exclude paths, but not a specific file and/or multiple files, correct?

theopolis

01/07/2020, 1:55 PM

To exclude files you configure the exclude_paths object in the config JSON. I will look at the code but it might be different depending on the OS and file events APIs, what OS are you interested in?

theopolis

01/07/2020, 1:57 PM

The documentation suggests you can use wildcards, https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ Did you find otherwise?

João Godinho

01/07/2020, 1:59 PM

I’m testing this in debian, I’ve tried adding the

exclude_paths

with

/path/to/file.%

where after

it’s just a random number

João Godinho

01/07/2020, 2:00 PM

but it doesn’t seem to be filtering it out. I’ll do some more specific tests and I’ll report back

João Godinho

01/07/2020, 2:01 PM

is there any table in osquery where I can see this configuration?

theopolis

01/07/2020, 2:08 PM

Looking at the code (briefly) the values in exclude paths are used as exact matches not as match patterns. If you have time to test and confirm this, it would be great to create an issue on GitHub

João Godinho

01/07/2020, 2:09 PM

can you send me a link for where it’s tested?

João Godinho

01/07/2020, 2:26 PM

it seems that exact match does work, but

and

%%

don’t, this was the config:

Copy code

exclude_paths:
      homes:
        - /home/joao.godinho/file.txt
        - /home/joao.godinho/test%%
        - /home/joao.godinho/test%

João Godinho

01/07/2020, 2:37 PM

https://github.com/osquery/osquery/blob/e6fe15eb49660725e65dba1549932ed96e0a8c6e/plugins/config/parsers/file_paths.cpp#L148-L151

João Godinho

01/07/2020, 2:37 PM

this should be identical to the one in the

file_paths

validation, right?

João Godinho

01/08/2020, 12:44 PM

follow up question on this as a work around for now; if I query

file_events

with a WHERE clause to exclude some files, will the excluded file events be considered “consumed” and removed from the table when the expiry triggers?

theopolis

01/08/2020, 4:57 PM

Yes, but what problem are you trying to solve?

João Godinho

01/08/2020, 5:26 PM

the wildcard in the

exclude_paths

not working

theopolis

01/09/2020, 12:31 PM

Ah yes, a constraint in the WHERE will definitely address the problem. The exclude_paths configuration was provided to provide more performance if you wanted to exclude noisy sub paths such as a noisy sub directory

João Godinho

01/09/2020, 12:33 PM

nice 🙏 should I open an issue regarding the wilcards?

8 Views

Open in Slack

Previous Next