Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
thor
02/28/2018, 3:41 PMFIM is an event based table, meaning it doesn’t Vaseline the directories, it registers for file change notifications. This means you get the file change notification right after t happens from the OS, so there’s no delay here. The interval you specify in the config is how frequently to ask osquery for these changes
g
Gray Cat
02/28/2018, 5:26 PMI see. Thanks. Will there be any delay if the size of monitoring directories is large?
At the backend, how does osquery knows there’s file change? Does it monitor changes of hashes?
t
thor
02/28/2018, 7:06 PMOsquery registers with the OS to subscribe to inotify events on Linux, which tells osquery when a file has been modified or accessed, at which point either we recompute the hash or it’s given to us, I don’t recall.
So it won’t make a difference if the directory is large
g
Gray Cat
02/28/2018, 7:09 PMAh. So osquery depends on OS logs rather than baselining and checking hash differences right?
t
thor
02/28/2018, 7:12 PMYou can read more about it here: http://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ or check out the #FIM channel :)
g
Gray Cat
02/28/2018, 7:14 PMAh. Thanks!
t
thor
02/28/2018, 9:14 PM👍