Essentially, when double wildcards are used to specify the paths to be monitored osquery runs a recursive search and registers every path that matches that pattern. This means if you create new files (or in your case mount new volumes) post config load, they will be ignored by the FIM.

Do you know if this double wildcard behaviour is the same for the

file

table too?

@Ryan If I understand correctly, this wouldn’t affect a query like

SELECT * FROM file WHERE path LIKE '/Users/%/Downloads/%%'

because the wildcard resolves at the moment the query runs, every time the query runs. The problem mentioned in the blog is that for FIM, the wildcard resolves only when the FIM config is first loaded. So new paths created afterwards aren’t included.

Aha, gotcha.