对多级模式使用osquery通配符

Question

我使用osQueryv4.1.1来监视ubuntu框上的文件事件。

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu

$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1

我试图递归地查看/etc/目录中的所有文件，该目录的扩展名为.conf，使用以下通配符：/etc/%%/%.conf。但是，它也报告了/etc/下的任何文件。如果我创建了一个文件/etc/foo，它就会为CREATED事件和其他带有它的文件事件创建一个文件事件。

要重新生成的最小配置：

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM file_events",
      "interval": "5",
      "removed": "false"
    }
  },
  "file_paths": {
    "sys": ["/etc/%%/%.conf"]
  }
}

这些是我在执行touch /etc/foo时得到的文件事件。

{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}
{"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0"},"action":"added"}

问题：

• /etc/%%/%.conf甚至是一个有效和可用的通配符吗？
• 如果没有，是否有办法实现所需的手表？
• 如果是的话，它为什么不根据全局过滤事件呢？

我可以找到以下函数：filesystem.cpp#replaceGlobWildcards()，但是除了尝试提取没有通配符的基本路径之外，我不知道它到底想做什么。

另外，我知道它使用火柴，但它如何将SQL模式转换为fnmatch兼容表达式。

Answer 1

配置的FIM部分是关于如何设置inotify手表的一组相当广泛的规则。不能插入递归展开，这将在文档中调用。

您可以使用类似于/etc/%/%.conf的东西，但这只会给您提供一个级别的搜索。

我认为你有两个机制来得到你喜欢的结果。

您可以设置FIM来查看所有/etc/%%，然后让查询包含一个适当的WHERE子句。也许是SELECT * FROM file_events WHERE target_path like "%.conf"

或者您可以查看file_paths_query选项，并使用sql展开搜索列表。这也在文档中。