将osquery通配符用于多级模式

时间:2019-12-30 14:30:28

标签: inotify osquery

我正在使用osquery v4.1.1来监视Ubuntu盒子上的文件事件。

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu

$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1

我试图递归地查看/etc/目录中的所有文件,该目录的扩展名为.conf,使用以下通配符:/etc/%%/%.conf。但是,它还会报告/etc/下的所有文件。如果我创建文件/etc/foo,它将为CREATED事件和其他事件创建一个文件事件。

要重现的最低配置:

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM file_events",
      "interval": "5",
      "removed": "false"
    }
  },
  "file_paths": {
    "sys": ["/etc/%%/%.conf"]
  }
}

这些是我执行touch /etc/foo时遇到的文件事件。

{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}

问题:

  • /etc/%%/%.conf甚至是有效且可用的通配符吗?
  • 如果没有,有没有办法实现所需的监视?
  • 如果是,为什么不基于全局过滤事件?

我可以找到以下函数:filesystem.cpp#replaceGlobWildcards(),但除了尝试提取不带通配符的基本路径外,我无法理解它到底要做什么。

此外,我知道它使用fnmatch,但是它如何将类似SQL的模式转换为fnmatch兼容表达式。

1 个答案:

答案 0 :(得分:1)

配置的FIM部分是关于如何设置inotify手表的相当广泛的规则集。您无法固定递归扩展,这在documentation

中称为

您可以使用类似/etc/%/%.conf的名称,但这只会使您获得单一搜索级别。

我认为您有2种机制来获得所需的结果。

您可以将FIM设置为监视所有/etc/%%,然后让您的查询包含适当的WHERE子句。也许SELECT * FROM file_events WHERE target_path like "%.conf"

或者您可以查看file_paths_query选项,然后使用sql查询来展开搜索列表。这也在documentation

相关问题
最新问题