fleet
fleet copied to clipboard
fleetdm
macOS `file_events` table does not work with Orbit
Fleet version: ecba812
Operating system: Orbit on macOS
🧑💻 Expected behavior
file_events table shows file events as expected.
💥 Actual behavior
No events are recorded at all (confirmed by querying osquery_events table).
Fleet agent options:
config:
file_paths:
test:
- /Users/zwass/foo/%
- /tmp/foo
- /Users/zwass/bar/%
What osquery actually sees:
{
"file_paths": {
"test": [
"/Users/zwass/foo/%",
"/tmp/foo",
"/Users/zwass/bar/%"
]
},
"packs": {
"CMMC Level 1 (MacOS)": {
"queries": {
"Get USB device type": {
"query": "SELECT vendor, model FROM usb_devices WHERE removable = 0;",
"interval": 18,
"platform": "",
"version": "",
"snapshot": true,
"removed": false
}
}
},
"Global": {
"queries": {
"Get USB device type": {
"query": "SELECT vendor, model FROM usb_devices WHERE removable = 0;",
"interval": 86400,
"platform": "",
"version": "",
"snapshot": true,
"removed": false
},
"Get recently added or removed USB drives": {
"query": "SELECT action, DATETIME(time, 'unixepoch') AS datetime, vendor, mounts.path \nFROM disk_events \nLEFT JOIN mounts \n ON mounts.device = disk_events.device\n;",
"interval": 3600,
"platform": "",
"version": "",
"snapshot": true,
"removed": false
},
"Get running processes (with user_name)": {
"query": "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY start_time DESC LIMIT 5;",
"interval": 86400,
"platform": "",
"version": "",
"snapshot": true,
"removed": false
}
}
},
"Malware": {
"queries": {}
},
"Security Tooling Checks": {
"queries": {}
},
"Team: zwass test": {
"queries": {}
},
"g-testpack": {
"queries": {}
},
"test pack 1": {
"queries": {}
},
"zwass test": {
"queries": {
"file test": {
"query": "SELECT * FROM file where path LIKE '/tmp/foo/%' OR path LIKE '/Users/zwass/foo/%'",
"interval": 10,
"platform": "",
"version": "",
"removed": true
},
"file_events": {
"query": "SELECT * FROM file_events",
"interval": 10,
"platform": "",
"version": "",
"removed": false
}
}
}
}
}
More info
I suspected this was a Full Disk Access issue, but the problem persists even after manually setting Full Disk Access in System Preferences (not clear that System Preferences actually sets this properly though, as I observed it sometimes saves the wrong path).
I also ran a plain osquery side-by-side with the Orbit osquery and the events work there (confirmed via osquery_events table and filesystem logging).
Flagfile:
# Server
--tls_hostname=dogfood.fleetdm.com
# Enrollment
--host_identifier=instance
--enroll_secret_path=secret.txt
--enroll_tls_endpoint=/api/osquery/enroll
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
Osquery command line:
sudo osqueryd --flagfile=flagfile.txt --database_path=/tmp/osquery.db --disable_events=false --enable_file_events=true --logger_path=/tmp/osquerylogs --verbose --tls_dump
With both Orbit and regular osquery running, I touch some files at the expected paths:
touch /tmp/foo/test.txt /Users/zwass/foo/test.txt /Users/zwass/bar/test.txt
Then query osquery_events. Only plain osquery sees any events:
But both can see the file:
@zwass apologies if I am missing something super obvious...
But I think that the flagfile above doesn't contain the flags to enable events, namely: disable_events=false and enable_file_events=true
I think that's why orbit is not getting file_events and osqueryd is (because you are passing them in the command line)
I tested this out with the relevant flags, and I can't seem to reproduce it (please see screenshot)
}
} }
A gentle breeze,
the `file_events` table sings
Orbit joins in song.
