将 osquery 通配符用于多级模式
Using osquery wildcards for multi-level patterns
我正在使用 osquery v4.1.1 来监视 ubuntu 盒子上的文件事件。
$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1
我正在尝试递归地查看 /etc/ 目录中的所有文件,该目录的扩展名 .conf 使用以下通配符:/etc/%%/%.conf。但是,它还会报告 /etc/ 下的所有文件。如果我创建一个文件 /etc/foo,它会为 CREATED 事件和其他事件创建一个文件事件。
重新生成的最小配置:
{
"schedule": {
"file_events": {
"query": "SELECT * FROM file_events",
"interval": "5",
"removed": "false"
}
},
"file_paths": {
"sys": ["/etc/%%/%.conf"]
}
}
这些是我在 touch /etc/foo.
时得到的文件事件
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
问题:
/etc/%%/%.conf 是有效且可用的通配符吗?- 如果没有,有没有办法达到要求的手表?
- 如果是,为什么不根据 glob 过滤事件?
我可以找到以下函数:filesystem.cpp#replaceGlobWildcards() 但除了尝试提取没有通配符的基本路径外,无法理解它到底想做什么。
此外,我知道它使用 fnmatch 但它如何将 SQL 类模式转换为 fnmatch 兼容表达式。
配置的 FIM 部分是关于如何设置 inotify 手表的一组相当广泛的规则。您不能中缀递归扩展,这在 documentation
中被调用
您可以使用 /etc/%/%.conf 之类的东西,但这只会让您获得一个搜索级别。
我认为你有两种机制可以得到你喜欢的结果。
您可以将 FIM 设置为监视所有 /etc/%%,然后让您的查询包含适当的 WHERE 子句。也许SELECT * FROM file_events WHERE target_path like "%.conf"
或者您可以查看 file_paths_query 选项,并使用 sql 查询来扩展搜索列表。这也在documentation
我正在使用 osquery v4.1.1 来监视 ubuntu 盒子上的文件事件。
$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1
我正在尝试递归地查看 /etc/ 目录中的所有文件,该目录的扩展名 .conf 使用以下通配符:/etc/%%/%.conf。但是,它还会报告 /etc/ 下的所有文件。如果我创建一个文件 /etc/foo,它会为 CREATED 事件和其他事件创建一个文件事件。
重新生成的最小配置:
{
"schedule": {
"file_events": {
"query": "SELECT * FROM file_events",
"interval": "5",
"removed": "false"
}
},
"file_paths": {
"sys": ["/etc/%%/%.conf"]
}
}
这些是我在 touch /etc/foo.
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
问题:
/etc/%%/%.conf是有效且可用的通配符吗?- 如果没有,有没有办法达到要求的手表?
- 如果是,为什么不根据 glob 过滤事件?
我可以找到以下函数:filesystem.cpp#replaceGlobWildcards() 但除了尝试提取没有通配符的基本路径外,无法理解它到底想做什么。
此外,我知道它使用 fnmatch 但它如何将 SQL 类模式转换为 fnmatch 兼容表达式。
配置的 FIM 部分是关于如何设置 inotify 手表的一组相当广泛的规则。您不能中缀递归扩展,这在 documentation
中被调用您可以使用 /etc/%/%.conf 之类的东西,但这只会让您获得一个搜索级别。
我认为你有两种机制可以得到你喜欢的结果。
您可以将 FIM 设置为监视所有 /etc/%%,然后让您的查询包含适当的 WHERE 子句。也许SELECT * FROM file_events WHERE target_path like "%.conf"
或者您可以查看 file_paths_query 选项,并使用 sql 查询来扩展搜索列表。这也在documentation