Channels
#general
Title
j
João Godinho
01/06/2020, 4:12 PMHey 👋 quick question regarding
file_eventst
theopolis
01/07/2020, 1:55 PM
To exclude files you configure the exclude_paths object in the config JSON. I will look at the code but it might be different depending on the OS and file events APIs, what OS are you interested in?
The documentation suggests you can use wildcards, https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/
Did you find otherwise?
j
João Godinho
01/07/2020, 1:59 PMI’m testing this in debian, I’ve tried adding the
exclude_paths/path/to/file.%.but it doesn’t seem to be filtering it out. I’ll do some more specific tests and I’ll report back
is there any table in osquery where I can see this configuration?
t
theopolis
01/07/2020, 2:08 PM
Looking at the code (briefly) the values in exclude paths are used as exact matches not as match patterns. If you have time to test and confirm this, it would be great to create an issue on GitHub
j
João Godinho
01/07/2020, 2:09 PMcan you send me a link for where it’s tested?
it seems that exact match does work, but
%%% Copy code
exclude_paths:
homes:
- /home/joao.godinho/file.txt
- /home/joao.godinho/test%%
- /home/joao.godinho/test%this should be identical to the one in the
file_pathsfollow up question on this as a work around for now; if I query
file_eventst
theopolis
01/08/2020, 4:57 PM
Yes, but what problem are you trying to solve?
j
João Godinho
01/08/2020, 5:26 PMthe wildcard in the
exclude_pathst
theopolis
01/09/2020, 12:31 PM
Ah yes, a constraint in the WHERE will definitely address the problem. The exclude_paths configuration was provided to provide more performance if you wanted to exclude noisy sub paths such as a noisy sub directory
j
João Godinho
01/09/2020, 12:33 PMnice 🙏 should I open an issue regarding the wilcards?
6 Views