Is it possible to target a policy by label? You ca...
# fleetj
James
07/22/2024, 3:54 PMIs it possible to target a policy by label? You can by platform; but can I do it via label by putting something in the query maybe?
f
FG
07/22/2024, 4:02 PMif fleet, Schedule -> Advanced -> you can schedule a pack against a label:
FG
07/22/2024, 4:03 PMScreenshot 2024-07-22 at 12.02.00 PM.png
j
James
07/22/2024, 4:05 PMhuh? I'm in the Policies menu at the top...
James
07/22/2024, 4:06 PMI don't see an Advanced option; (or schedule)
f
FG
07/22/2024, 4:14 PMsorry i don't use the policies feature, that was added way after we started using this. we have a custom in house processor for all of this. so we run our policy queries manually i suppose you could say. that screenshot is from the top "Schedule" menu
FG
07/22/2024, 4:15 PMthis seems like a good feature request to maximize the functionality of the policies engine and keep the feature parity with the traditional query scheduler
d
Dale Ribeiro
07/23/2024, 6:50 PMHey @James, you can currently only scope policies to teams in Fleet. You can limit them to run on certain platforms in the query editor. Do you have a specific workflow in mind where you'd want to use labels to target policies rather than teams?
What @FG is referring to is osquery packs, which Fleet supports and can be accessed by appending
/packsj
James
07/25/2024, 4:55 PMI have policies that only make sense on certain linux distros
James
07/25/2024, 4:55 PMAnd ones that only make sense on certain hardware
James
07/25/2024, 4:55 PMI have those distros/hardware as labels
f
FG
07/25/2024, 4:58 PMyeah that totally makes sense and are a perfect use-case for labels. I am agreeing with you that this seems to be a UI capability gap between the traditional Packs targeting and Policies targeting. I haven't created a Feature Request ticket in the project myself, but if one doesn't already exist I would suggest this is a valuable improvement.
FG
07/25/2024, 5:00 PMin the mean time if you are blocked, you could at least generate the results that you need by scheduling the policy query (may require some tweaking to make it return correctly) and schedule it as a pack query targeting your label, this will at least unblock you and let you get the results you are looking for.
d
Dale Ribeiro
07/25/2024, 5:09 PMI dug up this feature request which I think is similar to your ask. Feel free to comment to add your own thoughts/use cases: https://github.com/fleetdm/fleet/issues/2238
f
FG
07/25/2024, 8:26 PM@James thinking about this a bit more, can you share a specific policy and label combination you ideally could run? I think this could also be achieved today by creating a custom policy in the fleet ui, and applying your label query directly within the policy SQL so that, even though you send that policy "to all hosts" the where clause would only include your desired hosts.
FG
07/25/2024, 8:27 PMScreenshot 2024-07-25 at 4.26.52 PM.png,Screenshot 2024-07-25 at 4.27.23 PM.png
j
James
07/25/2024, 9:25 PMe.g. I want to exclude the disk encryption requirement from qubes
f
FG
07/25/2024, 9:25 PMdo you already have a working label that you use to identify qubes os?
j
James
07/25/2024, 9:29 PMYes.
For qubes I use the label query
select 1 from file where path = '/var/run/qubes/qubesdb.sock' Copy code
SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1' OR EXISTS (select 1 from file where path = '/var/run/qubes/qubesdb.sock')f
FG
07/25/2024, 9:31 PMyeah that is what I would suggest, so you are effectively still using your label to omit the policy from applying to those hosts. It is not as efficient as using the schedule to not even send the query to those hosts, but it still should work as you want
6 Views