0

我正在使用 osquery v4.1.1 来监视 ubuntu 机器上的文件事件。

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu

$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1

我正在尝试以/etc/递归方式查看目录中的所有文件,该文件的扩展名.conf使用以下通配符:/etc/%%/%.conf. 但是,它还会报告/etc/. 如果我创建一个文件/etc/foo,它会为该CREATED事件和其他人创建一个文件事件。

重新生成的最小配置:

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM file_events",
      "interval": "5",
      "removed": "false"
    }
  },
  "file_paths": {
    "sys": ["/etc/%%/%.conf"]
  }
}

这些是我做的时候得到的文件事件touch /etc/foo

{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}

问题 :

  • 甚至是/etc/%%/%.conf有效且可用的通配符?
  • 如果没有,有没有办法实现所需的手表?
  • 如果是,为什么不根据 glob 过滤事件?

我可以找到以下函数:filesystem.cpp#replaceGlobWildcards()但除了尝试提取没有通配符的基本路径之外,我无法理解它到底在做什么。

另外,我知道它使用fnmatch,但它如何将类似 SQL 的模式转换为 fnmatch 兼容表达式。

4

1 回答 1

1

配置的 FIM 部分是关于如何设置 inotify 监视的一组相当广泛的规则。您不能插入递归扩展,这在文档中被调用

您可以使用类似的东西/etc/%/%.conf,但这只会为您提供单级搜索。

我认为你有两种机制来获得你喜欢的结果。

您可以设置 FIM 来观看所有内容/etc/%%,然后让您的查询包含适当的 WHERE 子句。也许SELECT * FROM file_events WHERE target_path like "%.conf"

或者您可以查看file_paths_query选项,并使用 sql 查询来扩展搜索列表。这也在文档中

于 2019-12-30T21:08:40.857 回答