Hey all, happy friday! Looking at some macOS FIM e...
# generalb
Brandon Mesa
11/04/2022, 2:51 PMHey all, happy friday! Looking at some macOS FIM events where "uid" is blank, anyone know why this would be the case or what it could implicitly mean?
s
sharvil
11/04/2022, 3:05 PMI am assuming this is the
file_eventses_process_file_eventsCREATEDUPDATEDsharvil
11/04/2022, 3:05 PMand it might require a join with the
filesharvil
11/04/2022, 3:06 PMsimilarly the
ms5,sha1,sha256hashsharvil
11/04/2022, 3:06 PMbut could be just a bug
sharvil
11/04/2022, 3:08 PMnvm, the join should be done by the code itself
b
Brandon Mesa
11/04/2022, 3:08 PMCorrect, these come from file_events
s
sharvil
11/04/2022, 4:26 PMIs this on Ventura?
sharvil
11/04/2022, 4:26 PMI am wondering is this this related to permissions (Full Disk Access and such), or this is on any file?
b
Brandon Mesa
11/04/2022, 4:52 PMThis is on monterey, and primarily across a select number of files including primarily /private/etc/cups/certs/0 and some child objects in /private/var/root/Library/Caches/rtcreportingd/events/NRM_Events_*
Brandon Mesa
11/04/2022, 4:56 PMall actions on /private/etc/cups/certs/0 is "DELETED"
Brandon Mesa
11/04/2022, 4:57 PMI will probably end up excluding that file from the query
s
sharvil
11/04/2022, 6:10 PMThanks for the additional context, this maybe a bug/caveat, I will try to dig in deeper
8 Views