FIM is an event based table, meaning it doesn’t Va...
# generalt
thor
02/28/2018, 3:41 PM
FIM is an event based table, meaning it doesn’t Vaseline the directories, it registers for file change notifications. This means you get the file change notification right after t happens from the OS, so there’s no delay here. The interval you specify in the config is how frequently to ask osquery for these changes
g
Gray Cat
02/28/2018, 5:26 PMI see. Thanks. Will there be any delay if the size of monitoring directories is large?
Gray Cat
02/28/2018, 5:29 PMAt the backend, how does osquery knows there’s file change? Does it monitor changes of hashes?
t
thor
02/28/2018, 7:06 PM
Osquery registers with the OS to subscribe to inotify events on Linux, which tells osquery when a file has been modified or accessed, at which point either we recompute the hash or it’s given to us, I don’t recall.
thor
02/28/2018, 7:07 PM
So it won’t make a difference if the directory is large
g
Gray Cat
02/28/2018, 7:09 PMAh. So osquery depends on OS logs rather than baselining and checking hash differences right?
t
thor
02/28/2018, 7:12 PM
You can read more about it here: http://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ or check out the #FIM channel :)
g
Gray Cat
02/28/2018, 7:14 PMAh. Thanks!
t
thor
02/28/2018, 9:14 PM
👍