macOS: fix EndpointSecurity FIM mute inversion for file paths #8166
Conversation
|
closing and reopening to trigger latest CI |
There was a problem hiding this comment.
A part from the inversion logic, something else I noticed is that the flags we are using here, are only evaluated once, when the publisher starts (which basically means when osquery starts).
I would define those as CLI_FLAG instead of FLAG to reflect that.
EDIT: Nevermind, I noticed things late and what I suggested is a breaking change. Nonetheless I think that we should remember to mark flags whose effect cannot (or must not) change at runtime as CLI_FLAG to reflect that to users.
|
@directionless sorry if I caused confusion, but when I wrote "this is a breaking change" I meant my suggestion, not the PR here. |
sharvilshah
force-pushed
the
es_fim_fix
branch
from
5786611
to
49ef0e2
Compare
|
@directionless I don't think this is a breaking/API change, so I am removing that label. Please feel free to add it if you think it requires one. |
sharvilshah
added
bug
macOS
events
There was a problem hiding this comment.
I'm not really following this, and I haven't absorbed this PR (pr the feature it's adjusting) but the conversation here makes me think you're dealing with cases around config changes and how it impacts the FIM subscriptions and mutes. Yes? If so, that leads me to questions... I won't be offended if I'm offbase, or y'all have covered/dismissed/whatever this direction.
- Is the underlying issue that unrelated config changes causes spurious reprocessing of the FIM directives, which then cause things to get messed up?
- Or that reprocessing the FIM directives is hard because of how it's layered together?
- both?
I think one way to address (1) would be to keep some hash of the FIM config and early return if it's unchanged. This wouldn't address (2) but it might be part of it.
If I think about that kind of complex processing, I think it's very hard to do stateless. I'd end up tracking state, so that subsequent config parses could correlate with the state of what's already configured.
At every config refresh osquery calls the The PR here fixes that behavior making so that the inversion happens only once (the inversion is necessary because you don't have 2 APIs, one for including a path and another for excluding it, so you need to use This was working ok, but what I noticed was that we were not reacting to So no, the issue was not detecting when things change, but what and how to apply it correctly. EDIT: Also to be extra clear, this is not a regression on some behavior that was present in previous releases. The support for |
There was a problem hiding this comment.
As discussed I think this is acceptable, improvements (reacting to file_paths changes) will come in another PR.
I'm approving but lets leave @directionless time to look at it.
|
If you two are happy, I don't feel like I need to stick my nose in. I'll merge |
Slack conversation: https://osquery.slack.com/archives/C08VA3XQU/p1697483297449949
tl;dr: the bug was that we were inadvertently calling the ES mute inversion APIs on each config refresh, causing us to actually lose the mute inversion for file paths and cause a surge of events.
The fix is to check the ES mute inversion state, and call those APIs only if we are not currently "mute inverted" ( in ES parlance
ES_MUTE_NOT_INVERTED). This essentially gates the existing code with:if (es_muting_inverted(es_file_client_, ES_MUTE_INVERSION_TYPE_TARGET_PATH) == ES_MUTE_NOT_INVERTED) { ... }