Hello I would like to setup Mac darwin File Integrity Monito osquery #fleet

Hello! I would like to setup Mac (darwin) File Int...

Rafa

02/15/2023, 4:17 PM

Hello! I would like to setup Mac (darwin) File Integrity Monitoring and because of that I changed the Agent options in fleet to this:

Copy code

config:
  options:
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides:
  platforms:
    darwin:
      options:
        disable_audit: false
        disable_events: false
      file_paths:
        etc:
          - /etc/%%
        homes:
          - /Volumes/%%
        users:
          - /Users/%/Library/%%
          - /Users/%/Documents/%%
command_line_flags: {} # requires Fleet's osquery installer

Rafa

02/15/2023, 4:18 PM

But the query

Copy code

SELECT action, DATETIME(time, 'unixepoch') AS datetime, vendor, mounts.path FROM disk_events LEFT JOIN mounts ON mounts.device = disk_events.device;

always return nothing... Am I doing something wrong?

charles

02/16/2023, 1:56 AM

you might wanna check file_events and make sure that osqueryd has full disk access perms on macbooks

Kathy Satterlee

02/16/2023, 2:24 PM

A good way to check if permissions are the issue is to test the query locally with

sudo orbit osqueryd

Open in Slack

Previous Next