I am using osquery v4.1.1 to monitor file events on a ubuntu box.
$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1
I am trying to watch all the files within the /etc/ directory, recursively, which has the extension .conf using the following wildcard: /etc/%%/%.conf. But, it also reports any files under /etc/. If I create a file /etc/foo, it created a file event for the CREATED event and others with it.
Minimal config to re-produce:
{
"schedule": {
"file_events": {
"query": "SELECT * FROM file_events",
"interval": "5",
"removed": "false"
}
},
"file_paths": {
"sys": ["/etc/%%/%.conf"]
}
}
These are the file events that I get when I do touch /etc/foo.
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
/etc/%%/%.conf even a valid and usable wildcard ?I could find the following function: filesystem.cpp#replaceGlobWildcards() but could not understand what exactly it's trying to do apart from trying to extract the base path with no wildcards.
Also, I know that it uses fnmatch but how does it convert the SQL like pattern to fnmatch compatible expression.
The FIM section of the configuration is a fairly broad set of rules about how to setup the inotify watches. You cannot infix a recursive expansion, this is called out in the documentation
You could use something like /etc/%/%.conf, but that would only get you a single level of search.
I think you have 2 mechanisms to get the result you like.
You could setup FIM to watch all of /etc/%% and then have your query include an appropriate WHERE clause. Perhaps SELECT * FROM file_events WHERE target_path like "%.conf"
Or you could look at the file_paths_query options, and use a sql query to expand the search list. This is also in the documentation