Can anyone help with getting File Integrity Monito...
# fim
Can anyone help with getting File Integrity Monitoring working with OSQuery please? It seems to work like 5% of the time with the majority of the time it doesn't report anything at all even though files are added/remove/modified in the target directories. It's a standalone config on a Fedora 29 instance with latest version of OSQuery . The same issues happen with Centos as well. All relevant config and logs below osquery.conf - splunk-pack-all.conf - splunk-pack-nix.conf - osqueryd.INFO.20210201-133214.12128 - osqueryd.results.log -
I would use that config as an example for how to setup FIM line 39 is show all the directories/files Osquery is monitoring. Make sure the file you are modifying is being monitored by Osquery
Thanks for the info that still doesn't seem to work even when I strip it back to those configs only.
Like I said the config I posted does work but only appears to work 5% of the time. There are no obvious errors in the logs as to why it stops.
Some things to check: • Check
on Centos like systems and
on Debian based systems are blocking Osquery. I doubt this is the problem but is something to check. • Also run
with the
flag to see if any errors are printed to the screen • Another thing to try is to setup something like AuditD + Golang. Then re-run your test and review the results. This would allow you to determine if it’s a system issue or an Osquery issue
Thanks for the tips. I did have selinux set to permissive and disabled it completely and things started working as expected. Any ideas what specific configs selinux needs to allow FIM? I doubt our admins would let us disable it across the board.
Google doesn't seem to talk about it much at all.
I am not sure. It’s been a while since I have tinkered with SELinux. I would start by posting in this channel (#fim) that SELinux is blocking the FIM capability. Hopefully, the community has an answer.
Also the Osquery office hours (#officehours) are today at 12pm CST. This event is open to the community to join and ask questions.
By the way, we have briefly discussed this during office hours. I don't think that osquery is specifically at fault here, but it's simply because SELinux doesn't know about osquery and so it blocks its attempts to access protected resources. This is a matter of configuring SELinux to let osquery access the resources it needs. That been said, it would be also interesting maybe to provide a profile/template that can be easily applied by the end user so that then osquery can function properly under SELinux or AppArmor, but further investigation has to be done. Even if with a slightly different intent, this is an issue where some discussion about SELinux and AppArmor was started: