e., they don’t have any effect on the events generated. Invalid categories get dropped silently, i. In the above example, any name besides homes, etc and tmp is invalid. Invalid categories – Any name not referenced under file_paths. In the above example config, homes, etc and tmp are valid categories. Valid categories – Categories referenced under the file_paths node. Note: Remember to specify home paths as, for instance, /Users/%, instead of ~/% which will not work.ĭo not use arbitrary category names under the exclude_paths node only valid names are allowed. You can avoid this by monitoring the containing directory instead. If you monitor the file directly, osquery will need to be restarted in order to monitor the replacement. Note: Many applications may replace a file instead of editing it in place. For example /Users/%%/ is not a valid wildcard. Note: You cannot match recursively inside a path.
bin/%sh: Monitor the bin directory for changes ending in sh. Users/%/Library/%%: Monitor changes recursively within each Library. Users/%/Library/%: Same, changes to files within each Library folder. Users/%/Library/: Monitor for changes to files within each Library folder, but not the contents of their subdirectories. Users/%/Library: Monitor for changes to every user’s Library folder, but not the contents within. That is, the events are always recorded in real time the interval is just how often the already recorded events will be logged.Īfter you identify the files and directories you wish to monitor, add their match rules to the file_paths section in the osquery FIM config. At a high level, this means events are buffered within osquery and sent to the configured logger every five minutes. The file_events query is scheduled to collect all of the FIM events that have occurred on any files within the paths specified within file_paths but excluding the paths specified within exclude_paths on a five minute interval. The three elements of a FIM config in osquery are (a) the scheduled query against file_events, (b) the added file_paths section, and (c) the exclude_paths sections.
%abc: Match all within-level ending in “abc”.Ībc%: Match all within-level starting with “abc”. %%: Match all files and folders recursively. Matching wildcard rules%: Match all files and folders for one level. You may use standard wildcards */** or SQL-style wildcards *%*, as shown below. To specify which files and directories you wish to monitor, you must use fnmatch-style, or filesystem globbing, patterns to represent the target paths. To enable it, first ensure that events are enabled in osquery (–disable_events=false), then ensure that the desired FIM table is enabled with the corresponding CLI flag (–enable_file_events=true for file_events, –disable_audit=false for process_file_events, –enable_ntfs_publisher=true for ntfs_journal_events). The events that relate to those selected files will then populate the corresponding tables on each platform.įIM is also disabled by default in osquery.
#OSQUERY FIM WINDOWS#
File integrity monitoring (FIM) is available for Linux (in file_events, using the inotify subsystem, and in process_file_events using the Audit subsystem), Windows (in ntfs_journal_events, using NTFS Journaling) and macOS (in file_events, using FSEvents).Ĭollecting file events in osquery requires that you first specify a list of files/directories to monitor from the osquery configuration.
0 kommentar(er)
