Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macos: es_process_file_events -- add support for open events, and for only triggering on file_paths #8114

Merged
merged 6 commits into from
Aug 23, 2023
Merged

macos: es_process_file_events -- add support for open events, and for only triggering on file_paths #8114

merged 6 commits into from
Aug 23, 2023

Conversation

sharvilshah
Copy link
Member

Tested on:

  • macOS 11 (Big Sur)
  • macOS 12 (Monterey)
  • macOS 13 (Ventura)

Test osquery.conf:

{
  "options": {
    "disable_events": "false",
    "verbose": "true",
    "disable_events": "false",
    "ephemeral": "true",
    "disable_endpointsecurity": "false",
    "disable_endpointsecurity_fim": "false",
    "es_fim_enable_open_events": "true"
  },
  "schedule": {
    "es_file_events": {
      "query": "SELECT * FROM es_process_file_events;",
      "interval": 20
    }
  },
  "file_paths": {
    "monitor": [
      "/Users/*/.aws/*",
      "/Users/*/.ssh/*",
      "/Users/*/.config/gcloud/*",
      "/Library/Keychains/*.keychain"
    ]
  },
  "exclude_paths": {
    "monitor": [
      "/Users/*/.ssh/id_ed25519.pub"
    ]
  }
}

@sharvilshah sharvilshah marked this pull request as ready for review August 15, 2023 11:57
@sharvilshah sharvilshah requested review from a team as code owners August 15, 2023 11:57
@sharvilshah sharvilshah added macOS events Related to osquery's evented tables or eventing subsystem FIM Related to File Integrity Monitoring with osquery labels Aug 15, 2023
@directionless directionless added this to the 5.10.0 milestone Aug 15, 2023
Smjert
Smjert requested changes Aug 15, 2023
View reviewed changes
osquery/events/darwin/endpointsecurity_fim.cpp Outdated Show resolved Hide resolved
osquery/events/darwin/endpointsecurity_fim.cpp Outdated Show resolved Hide resolved
osquery/events/darwin/endpointsecurity_fim.cpp Outdated Show resolved Hide resolved
osquery/events/darwin/endpointsecurity_fim.cpp Outdated Show resolved Hide resolved
osquery/events/darwin/endpointsecurity_fim.cpp Outdated Show resolved Hide resolved
@directionless
Copy link
Member

Chatting in office hours, there was discussion of how the open events would work pre-13.

Consider the scenario where a site has a deployment across versions. They want this feature, but it's non-performant on v12. We think this failure case is more likely than someone who wants this new functionality on v12.

As such, we think this feature should not be enablable pre-13.

@sharvilshah sharvilshah merged commit 00cec19 into osquery:master Aug 23, 2023
16 checks passed
sharvilshah added a commit to sharvilshah/osquery that referenced this pull request Oct 18, 2023
@sharvilshah
Revert "macos: es_process_file_events -- add support for open event…
ced3505 
…s, and for only triggering on `file_paths` (osquery#8114)"

This reverts commit 00cec19.
@sharvilshah sharvilshah mentioned this pull request Oct 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Smjert Smjert Smjert approved these changes

Assignees
No one assigned
Labels
events Related to osquery's evented tables or eventing subsystem FIM Related to File Integrity Monitoring with osquery macOS
Projects
None yet
Milestone
5.10.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sharvilshah @directionless @Smjert