https://github.com/osquery/osquery logo
Powered by
Title
j

João Godinho

01/06/2020, 4:12 PM
Hey 👋 quick question regarding 
file_events
, I can exclude paths, but not a specific file and/or multiple files, correct?
t

theopolis

01/07/2020, 1:55 PM
To exclude files you configure the exclude_paths object in the config JSON. I will look at the code but it might be different depending on the OS and file events APIs, what OS are you interested in?
The documentation suggests you can use wildcards, https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ Did you find otherwise?
j

João Godinho

01/07/2020, 1:59 PM
I’m testing this in debian, I’ve tried adding the 
exclude_paths
with 
/path/to/file.%
where after 
.
it’s just a random number
but it doesn’t seem to be filtering it out. I’ll do some more specific tests and I’ll report back
is there any table in osquery where I can see this configuration?
t

theopolis

01/07/2020, 2:08 PM
Looking at the code (briefly) the values in exclude paths are used as exact matches not as match patterns. If you have time to test and confirm this, it would be great to create an issue on GitHub
j

João Godinho

01/07/2020, 2:09 PM
can you send me a link for where it’s tested?
it seems that exact match does work, but 
%
and 
%%
don’t, this was the config: 
exclude_paths:
      homes:
        - /home/joao.godinho/file.txt
        - /home/joao.godinho/test%%
        - /home/joao.godinho/test%
https://github.com/osquery/osquery/blob/e6fe15eb49660725e65dba1549932ed96e0a8c6e/plugins/config/parsers/file_paths.cpp#L148-L151
this should be identical to the one in the 
file_paths
validation, right?
follow up question on this as a work around for now; if I query 
file_events
with a WHERE clause to exclude some files, will the excluded file events be considered “consumed” and removed from the table when the expiry triggers?
t

theopolis

01/08/2020, 4:57 PM
Yes, but what problem are you trying to solve?
j

João Godinho

01/08/2020, 5:26 PM
the wildcard in the 
exclude_paths
not working
t

theopolis

01/09/2020, 12:31 PM
Ah yes, a constraint in the WHERE will definitely address the problem. The exclude_paths configuration was provided to provide more performance if you wanted to exclude noisy sub paths such as a noisy sub directory
j

João Godinho

01/09/2020, 12:33 PM
nice 🙏 should I open an issue regarding the wilcards?
6 Views
#generalJoin Slack
Powered by