Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
c
Cameron Just
02/01/2021, 3:52 AMCan anyone help with getting File Integrity Monitoring working with OSQuery please?
It seems to work like 5% of the time with the majority of the time it doesn't report anything at all even though files are added/remove/modified in the target directories.
It's a standalone config on a Fedora 29 instance with latest version of OSQuery . The same issues happen with Centos as well. All relevant config and logs below
osquery.conf - https://pastebin.com/hUawQQwR
splunk-pack-all.conf - https://pastebin.com/3XwVCSBq
splunk-pack-nix.conf - https://pastebin.com/vLKcwiDE
osqueryd.INFO.20210201-133214.12128 - https://pastebin.com/93LGgm3E
osqueryd.results.log - https://pastebin.com/h8fddDaQ
c
CptOfEvilMinions
02/01/2021, 4:23 AMI would use that config as an example for how to setup FIM
https://pastebin.com/vLKcwiDE line 39 is show all the directories/files Osquery is monitoring. Make sure the file you are modifying is being monitored by Osquery
c
Cameron Just
02/01/2021, 5:39 AMThanks for the info that still doesn't seem to work even when I strip it back to those configs only.
Like I said the config I posted does work but only appears to work 5% of the time. There are no obvious errors in the logs as to why it stops.
c
CptOfEvilMinions
02/01/2021, 4:52 PMSome things to check:
• Check
SElinuxAppArmorosqueryd--verbosec
Cameron Just
02/02/2021, 1:32 AMThanks for the tips. I did have selinux set to permissive and disabled it completely and things started working as expected.
Any ideas what specific configs selinux needs to allow FIM? I doubt our admins would let us disable it across the board.
Google doesn't seem to talk about it much at all.
c
CptOfEvilMinions
02/02/2021, 3:13 PMI am not sure. It’s been a while since I have tinkered with SELinux. I would start by posting in this channel (#fim) that SELinux is blocking the FIM capability.
Hopefully, the community has an answer.
Also the Osquery office hours (#officehours) are today at 12pm CST. This event is open to the community to join and ask questions.
s
Stefano Bonicatti
02/06/2021, 2:25 PMBy the way, we have briefly discussed this during office hours.
I don't think that osquery is specifically at fault here, but it's simply because SELinux doesn't know about osquery and so it blocks its attempts to access protected resources.
This is a matter of configuring SELinux to let osquery access the resources it needs.
That been said, it would be also interesting maybe to provide a profile/template that can be easily applied by the end user so that then osquery can function properly under SELinux or AppArmor, but further investigation has to be done.
Even if with a slightly different intent, this is an issue where some discussion about SELinux and AppArmor was started: https://github.com/osquery/osquery/issues/6484