macOS EndpointSecurity FIM -- hidden files + globbed file_paths
Opened this issue · 0 comments
Bug report
While implementing sensitive file access monitoring per https://material.security/blog/protecting-the-security-and-privacy-of-our-customers, I ran into an issue where hidden files like '/Users/scavanaugh/.zsh_history' in monitored directories were not being returned by the `es_process_file_events' table, while non-hidden files were being returned.
I was initially attempting to get file access monitoring on .zsh_history
and .bash_history
but was unable to get any events to log while performing validation activities. As part of troubleshooting I created a hidden file in a directory I know from previous validations was being monitored properly and activity was generating events; when accessing the hidden file in /Users/*/.aws/*
did not generate an event I reached out in #macos and #fim channels in the osquery Slack.
The file_paths configuration below would return FIM events for the file `/Users/scavanaugh/.aws/credentials', but not '/Users/scavanaugh/.aws/.foo'.
file_paths:
aws:
- /Users/*/.aws/*
ssh:
- /Users/*/.ssh/*
shell_history:
- /Users/%/.zsh_history
- /Users/%/.bash_history
What operating system and version are you using?
version = 14.1.2
build = 23B92
platform = darwin
What version of osquery are you using?
version = 5.10.2
What steps did you take to reproduce the issue?
While troubleshooting this with @sharvilshah, I made an explicit file_path entry of `/Users/scavanaugh/.foo' and performed a validation event and an event was successfully generated and logged.
{ [-]
action: added
calendarTime: Tue Jan 9 18:23:27 2024 UTC
columns: { [-]
dest_filename:
event_type: open
filename: /Users/scavanaugh/.foo
global_seq_num: 69
parent: 99895
path: /bin/cat
pid: 97373
seq_num: 4
time: 1704824605
version: 7
}
counter: 1042
epoch: 0
hostIdentifier: <hostname>
name: pack/macpack/es_file_events
numerics: false
unixTime: 1704824607
}
What did you expect to see?
I expected to see FIM events for ".bash_history" and ".zsh_history" when accessed.
What did you see instead?
I did not see any events for the validation activity I performed, which was simply cat'ing the files. This validation activity worked as expected with non-hidden files in FIM-monitored paths/directories.