对多级模式使用 osquery 通配符

Posted 2023-02-17

【中文标题】对多级模式使用 osquery 通配符

【英文标题】：Using osquery wildcards for multi-level patterns

【发布时间】：2019-12-30 14:30:28

【问题描述】：

我正在使用 osquery v4.1.1 来监控 ubuntu 机器上的文件事件。

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
version = 16.04.3 LTS (Xenial Xerus)
build =
platform = ubuntu

$ osqueryi --line "SELECT version from osquery_info;"
version = 4.1.1

我正在尝试以递归方式查看/etc/ 目录中的所有文件，该目录的扩展名为.conf，使用以下通配符：/etc/%%/%.conf。但是，它还会报告/etc/ 下的所有文件。如果我创建一个文件/etc/foo，它会为CREATED 事件和其他事件创建一个文件事件。

重新生成的最小配置：

  "schedule": 
    "file_events": 
      "query": "SELECT * FROM file_events",
      "interval": "5",
      "removed": "false"
    
  ,
  "file_paths": 
    "sys": ["/etc/%%/%.conf"]
  

这些是我在执行touch /etc/foo 时得到的文件事件。

"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":"action":"CREATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0","action":"added"
"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":"action":"ATTRIBUTES_MODIFIED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0","action":"added"
"name":"file_events","hostIdentifier":"<hostname>","calendarTime":"Mon Dec 30 13:56:03 2019 UTC","unixTime":1577714163,"epoch":0,"counter":0,"numerics":false,"columns":"action":"UPDATED","atime":"1577714161","category":"sys","ctime":"1577714161","gid":"0","inode":"389945","mode":"0644","mtime":"1577714161","size":"0","target_path":"/etc/foo","time":"1577714161","uid":"0","action":"added"

问题：

/etc/%%/%.conf 甚至是有效且可用的通配符吗？ 如果没有，有没有办法实现所需的手表？ 如果是，为什么不根据 glob 过滤事件？

我可以找到以下函数：filesystem.cpp#replaceGlobWildcards()，但除了尝试提取没有通配符的基本路径之外，我无法理解它到底在做什么。

另外，我知道它使用fnmatch，但它如何将类似 SQL 的模式转换为 fnmatch 兼容表达式。

【参考方案1】：

配置的 FIM 部分是关于如何设置 inotify 监视的一组相当广泛的规则。你不能中缀递归扩展，这在documentation中被调用

您可以使用 /etc/%/%.conf 之类的名称，但这只会为您提供单级搜索。

我认为你有两种机制可以得到你喜欢的结果。

您可以设置 FIM 来观看所有 /etc/%%，然后让您的查询包含适当的 WHERE 子句。也许SELECT * FROM file_events WHERE target_path like "%.conf"

或者您可以查看file_paths_query 选项，并使用sql 查询来扩展搜索列表。这也在documentation

【讨论】：

我完全错过了/Users/%%/Configuration.conf 不是有效表达式的例子。谢谢你的解释。

没问题！我希望osquery有用

我尝试将file_paths_query 与以下查询一起使用，它按预期工作。 sSELECT path FROM file WHERE (directory LIKE '/etc/%%' OR directory LIKE '/etc/') AND filename LIKE '%.conf';