osquery/osquery

macOS EndpointSecurity FIM -- hidden files + globbed file_paths

Opened this issue · 0 comments

sean-dfir commented

Bug report

While implementing sensitive file access monitoring per https://material.security/blog/protecting-the-security-and-privacy-of-our-customers, I ran into an issue where hidden files like '/Users/scavanaugh/.zsh_history' in monitored directories were not being returned by the `es_process_file_events' table, while non-hidden files were being returned.

I was initially attempting to get file access monitoring on .zsh_history and .bash_history but was unable to get any events to log while performing validation activities. As part of troubleshooting I created a hidden file in a directory I know from previous validations was being monitored properly and activity was generating events; when accessing the hidden file in /Users/*/.aws/* did not generate an event I reached out in #macos and #fim channels in the osquery Slack.

The file_paths configuration below would return FIM events for the file `/Users/scavanaugh/.aws/credentials', but not '/Users/scavanaugh/.aws/.foo'.

file_paths:
  aws:
    - /Users/*/.aws/*
  ssh:
    - /Users/*/.ssh/*
  shell_history:
    - /Users/%/.zsh_history
    - /Users/%/.bash_history

What operating system and version are you using?

version = 14.1.2
build = 23B92
platform = darwin

What version of osquery are you using?

version = 5.10.2

What steps did you take to reproduce the issue?

While troubleshooting this with @sharvilshah, I made an explicit file_path entry of `/Users/scavanaugh/.foo' and performed a validation event and an event was successfully generated and logged.

{ [-]
   action: added
   calendarTime: Tue Jan  9 18:23:27 2024 UTC
   columns: { [-]
     dest_filename:
     event_type: open
     filename: /Users/scavanaugh/.foo
     global_seq_num: 69
     parent: 99895
     path: /bin/cat
     pid: 97373
     seq_num: 4
     time: 1704824605
     version: 7
   }
   counter: 1042
   epoch: 0
   hostIdentifier: <hostname>
   name: pack/macpack/es_file_events
   numerics: false
   unixTime: 1704824607
}

What did you expect to see?

I expected to see FIM events for ".bash_history" and ".zsh_history" when accessed.

What did you see instead?

I did not see any events for the validation activity I performed, which was simply cat'ing the files. This validation activity worked as expected with non-hidden files in FIM-monitored paths/directories.