theopolis
pirxthepilot
10/26/2018, 5:47 PMalessandrogario
clong
11/08/2018, 10:39 PMDougr
12/07/2018, 4:08 PMmtremsal
02/25/2019, 8:54 PMinotify
-based file_events
table, how do you handle containers? Specifically:
- how do you dynamically configure osquery to apply FIM queries to new containerd containers?
- how do you get container metadata, such as k8s pod and deployment info, added to each file_event
result?Mike Myers
02/25/2019, 9:10 PMNikhil Ingale
11/28/2019, 11:31 AMalessandrogario
Jamie Windley
01/07/2020, 10:48 AMSubscriber expiration is too low: file_events
but can't find what this means. Any ideas? Relevant config below:
"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 60,
"removed": false,
"description": "File events events."
}
},
"file_paths": {
"test": [
"~/Library/Preferences/%%"
]
}
Ananda Uppalapati
02/13/2020, 7:28 PM"file_events": {
"query": "SELECT * FROM file_events;",
"interval": 10,
"description": "File events collected from file integrity monitoring",
"removed":false
reed
04/04/2020, 7:58 PMCameron Just
02/01/2021, 3:52 AMGray Cat
04/19/2021, 8:34 PMSchnoogemetzger
08/04/2021, 9:44 AMGiovanni Giannola
11/06/2021, 1:18 AMTodor Petkov
03/17/2022, 4:21 PMDaniel Bretón Suárez
06/22/2022, 4:39 PMC:\Users\vagrant\Documents\%
, and no file exists at the moment osquery starts. If I create a file named test.txt
and a few minutes later I delete that file, Will I get an event?
What if I also watch the folder and the folder exists previously?
What if I also watch the folder and the folder does not exists previously?yaseera irfan
08/28/2022, 1:23 PMseph
wennan.he
10/13/2022, 11:27 PMKunal
12/06/2022, 5:30 AMDaniel Cross
12/08/2023, 3:56 AMDaniel Cross
12/13/2023, 3:04 AM# osqueryi "select * from file_events"
W1213 03:03:20.754773 2752245 inotify.cpp:87] Failed to do stat on: /etc/alternatives/nc-man
Peter
12/15/2023, 5:25 PM%%
is used to denote that all files and folders should be matched, and thus monitored, recursively. Based on this, I should be able to recursively monitor for changes to CA certificates using /usr/share/ca-certificates/%%
?
However, when this is done, osquery is attempting to install watches on all files under the specified directory, and subdirectories, as if they were themselves directories - which fails:
W1215 15:29:47.814217 14737 inotify.cpp:371] Could not add inotify watch on: /usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt/
W1215 15:29:47.814276 14737 inotify.cpp:371] Could not add inotify watch on: /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt/
W1215 15:29:47.814344 14737 inotify.cpp:371] Could not add inotify watch on: /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt/
sean.cavanaugh
01/09/2024, 5:23 PM/Users/*/.zsh_history
) being tracked by the es_process_file_events
table?gkhari
02/22/2024, 10:25 AMTodor Petkov
02/28/2024, 3:09 PM