is Osquery able to read a file content and send th...
# generalm
Mustafa
04/27/2018, 11:38 AMis Osquery able to read a file content and send them as logs?
t
theopolis
04/27/2018, 12:38 PM
Nope, we sort of resist doing this. If there’s a single file you believe everyone in the world should read and report on we can morph that content into a virtual table.
z
zwass
04/27/2018, 4:07 PM
Doesn't the file carver do this?
m
Mustafa
04/28/2018, 12:48 PMi would be glad if you give some information about file carver. is it related to carves table?
o
obelisk
04/30/2018, 4:01 PMThe file carver can do this but it is slightly more complicated to set up. @theopolis is right that we resist doing this so easily in virtual tables.
Carver is disabled by default and requires configuration to setup (so that you still get safety by default). I have a blog post here: http://www.metalliccode.com/carving/ that covers the basics of configuring carver.
👍 1
obelisk
04/30/2018, 4:03 PMAlso if you need this feature in someway and cannot configure carver with your infra, yo could build an extension table to do it for you.
5 Views