Title
#macos
Ben

Ben

01/21/2021, 3:43 AM
👋 I’m struggling to get FIM file access working on MacOS… FIM is working and I have
file_accesses
in my config. What else could I be forgetting?
3:47 AM
My flags current look like
--disable_extensions
--disable_events=false
--enable_file_events=true
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
3:48 AM
And my FIM config for testing:
{
  "file_paths": {
    "tmp": [
      "/tmp/%%"
    ]
  },
  "exclude_paths": {
    "tmp": [
      "/tmp/do_not_monitor1/"
    ]
  },
  "file_accesses": [
    "tmp"
  ]
}
3:48 AM
I see
CREATED
,
ATTRIBUTES_MODIFIED
, and
DELETED
events for files in /tmp, but no access events.
a

allister

01/21/2021, 4:34 AM
that's more than I was expecting you'd be able to achieve, I don't recall if a kext was ever required for those type of things
4:35 AM
🎅 is how demGoogs do FIM, so there is that sysext-based way to accomplish the same goal (AFAIK that feature came along for the conversion to sysext...)
Ben

Ben

01/21/2021, 5:54 AM
I can explore Santa, but would be ideal to get it done with just osquery
theopolis

theopolis

01/21/2021, 2:11 PM
You should be able to get FIM working on macOS without configuring audit. Audit is only used for
process_file_events
, the
file_events
table is populated through FSEvents. Let me look at the code quickly and try to guess why the accesses is not working for you.
Ben

Ben

01/21/2021, 6:07 PM
Thanks @theopolis. I also want to explore the
process_file_events
, but primarily would like to get
file_events
with accesses working first.