Title
#fim
t

Todor Petkov

03/17/2022, 4:21 PM
Hi, I am running osquery 5.2.2 on Debian10 and I don't see records in the file_events table. When running in verbose mode, I see messages like "Failed to set the netlink owner", which according to readthedocs can be due to auditd, but I don't have this running. Same config works on CentOS7. Any idea what am I missing?
a

alessandrogario

03/17/2022, 6:56 PM
file_events should be using inotify, so the netlink error is unrelated
6:56 PM
You could try to look at the logs to make sure SELinux is not blocking osquery
6:57 PM
I don't think the logs will work without auditd though
t

Todor Petkov

03/17/2022, 7:00 PM
Thanks, I will try with auditd
7:00 PM
there is no warning from apparmor
a

alessandrogario

03/17/2022, 7:02 PM
What is the output of
getenforce
?
7:05 PM
Additional note: if those systems have been upgraded from an older version of osquery, the configuration should now include a flag to enable file_events. It was previously not needed, but was causing conflicts with Audit
t

Todor Petkov

03/17/2022, 7:07 PM
I don't have selinux on the debian machine
7:08 PM
cat >> /etc/osquery/osquery.flags << EOF
--enable_file_events
EOF


cat >> /etc/osquery/osquery.conf << EOF
{
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "logger_path": "/var/log/osquery",
        "disable_logging": "false",
        "schedule_splay_percent": "10",
        "pidfile": "/var/osquery/osquery.pidfile",
        "events_expiry": "3600",
        "database_path": "/var/osquery/osquery.db",
        "verbose": "false",
        "worker_threads": "2",
        "disable_events": "false",
        "enable_bpf_events": "true",
        "enable_file_events": "true",
        "disable_audit": "false",
        "audit_allow_config": "true",
        "host_identifier": "hakase-labs",
        "enable_syslog": "true",
        "syslog_pipe_path": "/var/osquery/syslog_pipe",
        "force": "true",
        "audit_allow_sockets": "true",
        "schedule_default_interval": "3600"
    },


    "schedule": {
        "crontab": {
            "query": "SELECT * FROM crontab;",
            "interval": 300
        },
        "system_info": {
            "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
            "interval": 3600
        },
        "ssh_login": {
            "query": "SELECT username, time, host FROM last WHERE type=7",
            "interval": 360
        }
    },

    "decorators": {
        "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
        ]
    },

    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
        "fim": "/usr/share/osquery/packs/fim.conf"
    }
}

EOF

cat >> /usr/share/osquery/packs/fim.conf << EOF
{
  "queries": {
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 10
    }
  },
  "file_paths": {
    "homes": [
      "/root/.ssh/%%",
      "/home/%/.ssh/%%"
    ],
      "etc": [
      "/etc/%%"
    ],
      "tmp": [
      "/tmp/%%"
    ],
      "www": [
      "/var/www/%%"
      ]
  }
}
EOF
7:09 PM
that's the code I am using, with small change of the path of fim.conf (/usr/share is on centos, /opt/osquery on debian)
7:10 PM
I see the file is being read when I run with --verbose (it says /etc/%% is being watched)
7:10 PM
but when I do "useradd test", there is no entry in file_events table
3:12 PM
so I managed to make events appear in file_events table, but there are no records in the logs..