wave I m struggling to get FIM file access working on MacOS osquery #macos

:wave: I’m struggling to get FIM file access worki...

Ben

01/21/2021, 3:43 AM

👋 I’m struggling to get FIM file access working on MacOS… FIM is working and I have

file_accesses

in my config. What else could I be forgetting?

Ben

01/21/2021, 3:47 AM

My flags current look like

Copy code

--disable_extensions
--disable_events=false
--enable_file_events=true
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_fim_events=true
--audit_allow_process_events=true

Ben

01/21/2021, 3:48 AM

And my FIM config for testing:

Copy code

{
  "file_paths": {
    "tmp": [
      "/tmp/%%"
    ]
  },
  "exclude_paths": {
    "tmp": [
      "/tmp/do_not_monitor1/"
    ]
  },
  "file_accesses": [
    "tmp"
  ]
}

Ben

01/21/2021, 3:48 AM

I see

CREATED

ATTRIBUTES_MODIFIED

, and

DELETED

events for files in /tmp, but no access events.

allister

01/21/2021, 4:34 AM

that's more than I was expecting you'd be able to achieve, I don't recall if a kext was ever required for those type of things

allister

01/21/2021, 4:35 AM

🎅 is how demGoogs do FIM, so there is that sysext-based way to accomplish the same goal (AFAIK that feature came along for the conversion to sysext...)

Ben

01/21/2021, 5:54 AM

I can explore Santa, but would be ideal to get it done with just osquery

theopolis

01/21/2021, 2:11 PM

You should be able to get FIM working on macOS without configuring audit. Audit is only used for

process_file_events

, the

file_events

table is populated through FSEvents. Let me look at the code quickly and try to guess why the accesses is not working for you.

🙌 1

Ben

01/21/2021, 6:07 PM

Thanks @theopolis. I also want to explore the

process_file_events

, but primarily would like to get

file_events

with accesses working first.

3 Views

Open in Slack

Previous Next