# FIM with osquery
<!-- Put the link to this slide here so people can follow
slide: https://hackmd.io/p/template-Talk-slide -->
---
## Quick Recap
- Events: unlike live and scheduled queries, which are point-in-time, events allow us to capture device state changes continously
- Tables that end in `_events`
- Things to keep in mind:
- requires configuration
- platform differences
- storage and performance consideration
---
## FIM Overview
- FIM: File Integrity Monitoring
- As the name suggests: we want to be able to monitor certain files
- Files such as `ssh` keys, or AWS tokens on disk, etc
---
## FIM Tables
- Two types of FIM Tables
- Type 1: Provides information on the files (action, path, timestamp, attributes and the like)
- Type 2: In addition to above, provides information on with `process` acted on the file path
---
### FIM Tables
- Type 1 Tables:
- `file_events` (macOS and Linux)
- `ntfs_journal_events` (Windows)
- Type 2 Tables:
- `process_file_events` (Linux)
- `es_process_file_events` (macOS)
- We will focus on Type 1 tables in the module
---
### `file_events` configuration
- Broadly needs two type of configutation
- Flags to enable it (disabled by default)
- Pass file paths we want to monitor
- REMEMBER: osquery needs to be restarted in order
---
### `file_events` configuration (enabling)
- `--disable_events=false`
- ensures that events are enabled in osquery
- `--enable_file_events=true`
- for `file_events` table (macOS/Linux)
- `--enable_ntfs_event_publisher=true`
- for`nfts_journal_events` table (Windows)
---
### `file_events` configuration (file paths)
- `file_paths` block in the config is how we supply the paths
- supply a category and the matching file paths
- will be clearer when we look at the demo
- file paths can support globbing
- files need to exist before they can be monitored
---
### `file_events` configuration (globbing)
- `%` -- match all files and folders for one level
- `%%` -- match all files and folders recursively
- `%abc` -- match all within-level ending in `abc`
- `abc%` -- match all within-level starting with `abc`
- **note** cannot match recursively inside a path (`/tmp/%%/foo.txt` is invalid)
---
### `file_paths` configuration example
```yaml
config:
options:
...
file_paths:
etc:
- /etc/tmp/%
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
tmp:
- /tmp/%%
```
---
## Demo
---
{"breaks":true,"description":"View the slide with \"Slide Mode\".","title":"FIM with osquery","contributors":"[{\"id\":\"0f214e65-3e0c-4001-a641-4edf8607f80d\",\"add\":2813,\"del\":2597}]"}