Title
#fim
a

alessandrogario

10/29/2018, 1:21 PM
@Stephan it is needed to do FIM, without that you disable the table 🤔
s

Stephan

10/29/2018, 1:28 PM
That's what i thought too 😃 And that's kind of proposed by the docs. However the reality is different. Actually after disabling this flag, my FIM started to work properly (counting Hashes and population the tables)
a

alessandrogario

10/29/2018, 1:29 PM
file_events or process_file_events?
s

Stephan

10/29/2018, 1:31 PM
file_events
a

alessandrogario

10/29/2018, 1:31 PM
You probably have misinterpreted the documentation, as file_events is based on inotify and doesn't require audit
1:32 PM
Also, speaking about audit, your backlog is constantly full and will cause issues regardless of which audit feature you enable in audit
1:32 PM
you can completely disable audit if you only need file_events
1:33 PM
(also, allow_fim_events is already set to FALSE by default, so you can remove the flag from your command line)
1:35 PM
The documentation for file integrity monitoring talks about how to tune inotify: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
1:35 PM
Audit is not mentioned there, can you link me the page you were reading?
s

Stephan

10/29/2018, 1:38 PM
Whatever, I just wanted to monitor running processes and track changes to the files. My thought was that if there is an explicit flag audit_allow_process_events that I have to enable to do process monitoring, I should then also enable allow_fim_events to do FIM
a

alessandrogario

10/29/2018, 1:39 PM
It is best to always start from the documentation and then tweak the settings
1:39 PM
Audit is kind of complex
1:39 PM
There's a really good talk from Chris Long on the matter
1:40 PM

https://www.youtube.com/watch?v=AIO7mgVt4O8

s

Stephan

10/29/2018, 1:41 PM
I did watch the video and I do use Palantir's work patially
a

alessandrogario

10/29/2018, 1:41 PM
In general, flags that change the behavior of a publisher are all grouped with a prefix
1:41 PM
in this case audit
1:42 PM
When something is not clear, referring to the header file of the source code is usually useful (flags are declared at the top of the file). You can also open an issue about it so that we can extend the documentation
s

Stephan

10/29/2018, 1:56 PM
This is the output from the osqueryi --help --audit_allow_config Allow the audit publisher to change auditing configuration --audit_allow_fim_events Allow the audit publisher to install file event monitoring rules --audit_allow_process_events Allow the audit publisher to install process event monitoring rules --audit_allow_selinux_events Allow the audit publisher to process audit events --audit_allow_sockets Allow the audit publisher to install socket-related rules --audit_allow_user_events Allow the audit publisher to install user events-related rules
1:58 PM
To monitor sockets or processes you need to explicitly enable the flags
1:59 PM
it's "logical" at least to me, that to do FIM you need to enable audit_allow_fim_events
a

alessandrogario

10/29/2018, 1:59 PM
Yes! But you can still use the inotify-based FIM and keep the audit-based FIM off
2:00 PM
audit-based FIM performs syscall tracing, so it's a little heavy (and if your machine already has the backlog full it's not going to work)
s

Stephan

10/29/2018, 2:01 PM
My backlog was full due to osquery failing to handle the events
a

alessandrogario

10/29/2018, 2:02 PM
It seemed like there was some spamming from SECCOMP
2:02 PM
Does that still happen?
s

Stephan

10/29/2018, 2:04 PM
Nope
a

alessandrogario

10/29/2018, 2:05 PM
If you could open a ticket with your configuration and running processes, maybe we can have a look at it
s

Stephan

10/29/2018, 2:06 PM
sure, where do I post it?
a

alessandrogario

10/29/2018, 2:07 PM
2:07 PM
It may just be caused by too many processes doing i/o, but it's still worth to open the issue since we could at least document this problem on the documentation for Audit
s

Stephan

10/29/2018, 2:14 PM
Tried to gather some I/O stats but couldn't find any weirdness either. Anyway will be very glad if you will have a look.
a

alessandrogario

10/29/2018, 2:16 PM
The trouble with syscall tracing is that even keeping a terminal that prints data to screen will call the write() syscall many times
2:16 PM
A more precise way to debug this is using the perf tools
2:16 PM
to count how many times certain syscalls (the ones monitored by osquery) are being called
s

Stephan

10/29/2018, 2:19 PM
Strangely just reproducing the audit rules manually with disabled osquery doesn't impact the system
a

alessandrogario

10/29/2018, 2:20 PM
How did you do that? To replicate it I would set --audit_allow_config=false and --audit_allow_fim=true, then restore the configuration manually using auditctl
s

Stephan

10/29/2018, 2:33 PM
restored the configuration with auditctl but without osquery