https://github.com/osquery/osquery logo
Powered by
Title
b

Ben

01/21/2021, 3:43 AM
👋 I’m struggling to get FIM file access working on MacOS… FIM is working and I have 
file_accesses
in my config. What else could I be forgetting?
My flags current look like 
--disable_extensions
--disable_events=false
--enable_file_events=true
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
And my FIM config for testing: 
{
  "file_paths": {
    "tmp": [
      "/tmp/%%"
    ]
  },
  "exclude_paths": {
    "tmp": [
      "/tmp/do_not_monitor1/"
    ]
  },
  "file_accesses": [
    "tmp"
  ]
}
I see 
CREATED
, 
ATTRIBUTES_MODIFIED
, and 
DELETED
events for files in /tmp, but no access events.
a

allister

01/21/2021, 4:34 AM
that's more than I was expecting you'd be able to achieve, I don't recall if a kext was ever required for those type of things
🎅 is how demGoogs do FIM, so there is that sysext-based way to accomplish the same goal (AFAIK that feature came along for the conversion to sysext...)
b

Ben

01/21/2021, 5:54 AM
I can explore Santa, but would be ideal to get it done with just osquery
t

theopolis

01/21/2021, 2:11 PM
You should be able to get FIM working on macOS without configuring audit. Audit is only used for 
process_file_events
, the 
file_events
table is populated through FSEvents. Let me look at the code quickly and try to guess why the accesses is not working for you.
🙌 1
b

Ben

01/21/2021, 6:07 PM
Thanks @theopolis. I also want to explore the 
process_file_events
, but primarily would like to get 
file_events
with accesses working first.
3 Views
#macosJoin Slack
Powered by