[Feature Request] Support monitoring of arbitrary user-defined files

[clong]

Since BlockBlock is already monitoring a set of pre-defined files/directories and other areas of the OS, it would be an incredible addition if users could choose their own filepaths to monitor on disk as well.

Some examples of paths people might want to monitor on their Macs:

• AWS
  • Many people leave their AWS credentials in ~/.aws/credentials
• Google Cloud
  • Access tokens are often accessible in ~/.config/gcloud/access_tokens.db and credentials.db
• Google Chrome
  • Google Chrome encrypts its cookies, but there are still ways to access them if an attacker has access to your machine
• Slack
  • Slack stores its cookies in plaintext in a directory on your computer. Theft of these cookies could allow an attacker to impersonate you on Slack.
• Shell history
  • Your shell history file(s) will often contain API keys, passwords, and other useful information
• SSH Files
  • Files inside ~/.ssh/ (such as SSH keys, known_hosts, and config) can allow attackers to gain information about which hosts you access from your machine and even leverage that access if they are able to read your keys.

Users could even leverage this to add canary files that look super interesting to an adversary but contain no actual sensitive content!

Successful implementation of this feature request would involve the following:

1. An expansion of the rules interface. There should way that users can enter paths of files they want to monitor and also define a whitelist on a per-filepath basis. For example, only /Applications/Google Chrome.app/Contents/MacOS/Google Chrome should be able to access /Users/*/Library/Application Support/Google/Chrome/Default/Cookies

The most straightforward way to do this would probably be to implement a New Rule button on the rules page that allows you to define a one-to-one or one-to-many mapping of "file to watch" and "whitelisted processes"

2. It's important that the paths outlined above support wildcards and globbing. For example, to set up a recursive file watch on all hidden files and directories on all users, I should be able to define a rule like: Watch: /Users/*/.** Whitelist: /bin/**

In this case, any attempt to access a hidden file or file inside of a hidden directory in any users' home directory would set off a BlockBlock alert unless the process attempting the access is located in /bin or in a subdirectory of /bin/

[jchkn]

great idea!

[clong]

This capability is now in osquery! https://material.security/blog/protecting-the-security-and-privacy-of-our-customers