https://fleetdm.com logo
Channels
  • j

    João Godinho

    2 years ago
    Hey 👋 quick question regarding 
    file_events
    , I can exclude paths, but not a specific file and/or multiple files, correct?
  • theopolis

    theopolis

    2 years ago
    To exclude files you configure the exclude_paths object in the config JSON. I will look at the code but it might be different depending on the OS and file events APIs, what OS are you interested in?
    The documentation suggests you can use wildcards, https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ Did you find otherwise?
  • j

    João Godinho

    2 years ago
    I’m testing this in debian, I’ve tried adding the 
    exclude_paths
    with 
    /path/to/file.%
    where after 
    .
    it’s just a random number
    but it doesn’t seem to be filtering it out. I’ll do some more specific tests and I’ll report back
    is there any table in osquery where I can see this configuration?
  • theopolis

    theopolis

    2 years ago
    Looking at the code (briefly) the values in exclude paths are used as exact matches not as match patterns. If you have time to test and confirm this, it would be great to create an issue on GitHub
  • j

    João Godinho

    2 years ago
    can you send me a link for where it’s tested?
    it seems that exact match does work, but 
    %
    and 
    %%
    don’t, this was the config:
    exclude_paths:
      homes:
        - /home/joao.godinho/file.txt
        - /home/joao.godinho/test%%
        - /home/joao.godinho/test%
    https://github.com/osquery/osquery/blob/e6fe15eb49660725e65dba1549932ed96e0a8c6e/plugins/config/parsers/file_paths.cpp#L148-L151
    this should be identical to the one in the 
    file_paths
    validation, right?
    follow up question on this as a work around for now; if I query 
    file_events
    with a WHERE clause to exclude some files, will the excluded file events be considered “consumed” and removed from the table when the expiry triggers?
  • theopolis

    theopolis

    2 years ago
    Yes, but what problem are you trying to solve?
  • j

    João Godinho

    2 years ago
    the wildcard in the 
    exclude_paths
    not working
  • theopolis

    theopolis

    2 years ago
    Ah yes, a constraint in the WHERE will definitely address the problem. The exclude_paths configuration was provided to provide more performance if you wanted to exclude noisy sub paths such as a noisy sub directory
Join thread in Slack
View count: 1