Can anyone help with getting File Integrity Monitoring worki osquery #fim

Can anyone help with getting File Integrity Monito...

Cameron Just

02/01/2021, 3:52 AM

Can anyone help with getting File Integrity Monitoring working with OSQuery please? It seems to work like 5% of the time with the majority of the time it doesn't report anything at all even though files are added/remove/modified in the target directories. It's a standalone config on a Fedora 29 instance with latest version of OSQuery . The same issues happen with Centos as well. All relevant config and logs below osquery.conf - https://pastebin.com/hUawQQwR splunk-pack-all.conf - https://pastebin.com/3XwVCSBq splunk-pack-nix.conf - https://pastebin.com/vLKcwiDE osqueryd.INFO.20210201-133214.12128 - https://pastebin.com/93LGgm3E osqueryd.results.log - https://pastebin.com/h8fddDaQ

CptOfEvilMinions

02/01/2021, 4:23 AM

https://github.com/palantir/osquery-configuration/blob/master/Classic/Servers/Linux/osquery.conf

CptOfEvilMinions

02/01/2021, 4:24 AM

I would use that config as an example for how to setup FIM

CptOfEvilMinions

02/01/2021, 4:37 AM

https://pastebin.com/vLKcwiDE line 39 is show all the directories/files Osquery is monitoring. Make sure the file you are modifying is being monitored by Osquery

Cameron Just

02/01/2021, 5:39 AM

Thanks for the info that still doesn't seem to work even when I strip it back to those configs only.

Cameron Just

02/01/2021, 5:39 AM

Like I said the config I posted does work but only appears to work 5% of the time. There are no obvious errors in the logs as to why it stops.

CptOfEvilMinions

02/01/2021, 4:52 PM

Some things to check: • Check

SElinux

on Centos like systems and

AppArmor

on Debian based systems are blocking Osquery. I doubt this is the problem but is something to check. • Also run

osqueryd

with the

--verbose

flag to see if any errors are printed to the screen • Another thing to try is to setup something like AuditD + Golang. Then re-run your test and review the results. This would allow you to determine if it’s a system issue or an Osquery issue

Cameron Just

02/02/2021, 1:32 AM

Thanks for the tips. I did have selinux set to permissive and disabled it completely and things started working as expected. Any ideas what specific configs selinux needs to allow FIM? I doubt our admins would let us disable it across the board.

Cameron Just

02/02/2021, 1:32 AM

Google doesn't seem to talk about it much at all.

CptOfEvilMinions

02/02/2021, 3:13 PM

I am not sure. It’s been a while since I have tinkered with SELinux. I would start by posting in this channel (#fim) that SELinux is blocking the FIM capability. Hopefully, the community has an answer.

CptOfEvilMinions

02/02/2021, 3:15 PM

Also the Osquery office hours (#officehours) are today at 12pm CST. This event is open to the community to join and ask questions.

Stefano Bonicatti

02/06/2021, 2:25 PM

By the way, we have briefly discussed this during office hours. I don't think that osquery is specifically at fault here, but it's simply because SELinux doesn't know about osquery and so it blocks its attempts to access protected resources. This is a matter of configuring SELinux to let osquery access the resources it needs. That been said, it would be also interesting maybe to provide a profile/template that can be easily applied by the end user so that then osquery can function properly under SELinux or AppArmor, but further investigation has to be done. Even if with a slightly different intent, this is an issue where some discussion about SELinux and AppArmor was started: https://github.com/osquery/osquery/issues/6484

8 Views

Open in Slack

Previous Next