Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Osqueryd seems to be missing alerting on updates to nested folders that were moved into the watch file_paths #1969

Open
anoop2811 opened this issue Mar 25, 2016 · 4 comments
Open

Osqueryd seems to be missing alerting on updates to nested folders that were moved into the watch file_paths #1969

anoop2811 opened this issue Mar 25, 2016 · 4 comments
Labels
bug debt FIM Related to File Integrity Monitoring with osquery Linux

Comments

@anoop2811
Copy link

As part of our testing, we wanted the FIM functionality to properly alert on changes that are made to a directory tree which was created outside of watch directory but subsequently moved into it. However when we tested, the sub directory thats under watch and holds the nested tree does not produce any alerts for files added/changed at any depth while inside the watched file path. The osquery.conf looks like this:

{
  "schedule": {
    "file_events": {
      "query": "select * from file_events;",
      "removed": false,
      "interval": 30
    }
  },
  "file_paths": {
    "test": [
      "/test/subdir_test/%%"
    ]
  }
}

do the following to make sure alerts are showing in the /var/log/messages file

touch /test/subdir_test/hi1.txt

do the following to see the alerts do not show up in the /var/log/messages

cd /test  (note, we are not in the watched dir which is /test/subdir_test)
mkdir -p subdir1/subdir2/subdir3
mv subdir1 subdir_test (At this point you would get at alert in the logs to the file moved event)
touch subdir_test/subdir1/hi2.txt
@theopolis theopolis added Linux triage Issue needs to be verified, reproduced and prioritized FIM Related to File Integrity Monitoring with osquery labels Mar 26, 2016
@theopolis theopolis modified the milestone: 1.7.4 Mar 31, 2016
@theopolis theopolis added the debt label Apr 7, 2017
@fmanco fmanco removed this from the 1.7.4 milestone Aug 15, 2018
@fmanco
Copy link
Contributor

fmanco commented Aug 15, 2018

I can confirm this is still happening on 3.2.6.

@fmanco fmanco added bug and removed triage Issue needs to be verified, reproduced and prioritized labels Aug 15, 2018
@Smjert
Copy link
Member

Smjert commented Dec 28, 2019

Possibly related to #3212

@directionless
Copy link
Member

I believe /foo/bar, /foo/bar/, and /foo/bar/%, /foo/bar/%%, are all slightly different. I would not expect trailing % to indicate watching the parent directory.

@Smjert
Copy link
Member

Smjert commented Oct 24, 2020
edited

@directionless between /foo/bar and /foo/bar/ there's no difference for the inotify logic we have, because the first is normalized to the second:

osquery/osquery/events/linux/inotify.cpp

Lines 122 to 125 in 22d614c

if (isDirectory(discovered) && discovered.back() != '/') {
sc->path += '/';
discovered += '/';
}

Then /foo/bar/% and /foo/bar/%% are indeed different, but they both get /foo/bar to be monitored (as in the previous examples).
Inotify though doesn't recursively monitor folders on its own: when you want to monitor a folder, you create an inotify watch, but it only works for that folder and show changes to its direct entries, but not their contents if they are a folder too.
So any other folder that's created or moved into the monitored folder, needs a new watch to be added by our own logic.
This happens here:

osquery/osquery/events/linux/inotify.cpp

Lines 321 to 328 in 22d614c

// inotify will not monitor recursively, new directories need watches.
if (sc->recursive && ec->action == "CREATED" && isDirectory(ec->path)) {
const_cast<INotifyEventPublisher*>(this)->addMonitor(
ec->path + '/',
const_cast<INotifySubscriptionContextRef&>(sc),
sc->mask,
true);
}

when a new event should be dispatched to the subscribers, we check if the original subscription watch was meant to be recursive, and if the event is CREATED then we add that new subtree.
And here lies the issue though, because if you move a folder into the monitored path, that event is not a CREATED anymore, but a MOVED_TO, which we do not handle.

Made a quick test and changing the condition to be:

if (sc->recursive && (ec->action == "CREATED" || ec->action == "MOVED_TO") && isDirectory(ec->path)) {

seems to work as expected.

@Smjert Smjert mentioned this issue Oct 31, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug debt FIM Related to File Integrity Monitoring with osquery Linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Smjert @directionless @theopolis @fmanco @anoop2811