osquery icon indicating copy to clipboard operation
osquery copied to clipboard

Published 20 hours ago verified publisher icon osquery

`process_file_events` table is almost empty

Open roon1n opened this issue 2 years ago • 1 comments

Bug report

What operating system and version are you using?

CentOS Linux release 8.5.2111

What version of osquery are you using?

5.7.0

What steps did you take to reproduce the issue?

I ran osquery like this: osqueryi --verbose --audit_allow_config=true --audit_allow_sockets=true --audit_persist=true --disable_audit=false --disable_events=false --config_path /etc/osquery/osquery.conf --audit_allow_fim_events=true --audit_show_partial_fim_events=true

With the following path specified in osquery.conf:

  "file_paths": {
    "my_paths": [
      "/etc/%%"
    ]
  }

Then I tried to catch files modification/creation in /etc: /etc/test.txt (previously created) and /etc/test1.txt (created during osquery run). Even tried to manually set auditd rules for all needed syscalls and start osqueryi without --audit_allow_config=true flag, processes and sockets works well, but not FIM. FIM based on inode works well too, but it's not what I want to use.

What did you expect to see?

Expected to see corresponding events for all operations.

What did you see instead?

The only thing I saw in process_file_events is "unlink" operation under previously created file:

+-----------+------+------+------------+-------------+---------+--------------+---------------+-----------+-----+-----+------+------+------+-------+-------+------+------+--------+
| operation | pid  | ppid | time       | executable  | partial | cwd          | path          | dest_path | uid | gid | auid | euid | egid | fsuid | fsgid | suid | sgid | uptime |
+-----------+------+------+------------+-------------+---------+--------------+---------------+-----------+-----+-----+------+------+------+-------+-------+------+------+--------+
| unlink    | 7555 | 6915 | 1675941931 | /usr/bin/rm | false   | /etc/osquery | /etc/test.txt |           | 0   | 0   | 1000 | 0    | 0    | 0     | 0     | 0    | 0    | 3121   |
+-----------+------+------+------------+-------------+---------+--------------+---------------+-----------+-----+-----+------+------+------+-------+-------+------+------+--------+

Still trying to do something, but I cant even catch any write operations under existing files in /etc.

roon1n avatar Feb 09 '23 12:02 roon1n

Related to (probably a duplicate): https://github.com/osquery/osquery/issues/8062

lucasmrod avatar Oct 19 '23 12:10 lucasmrod